Hello MDSP, Logius PKIoverheid wants to report a potential issue that we've found with one of our TSPs issuing certificates under the Staat der Nederlanden Root CAs
All times are in UTC +1 ________________________________ 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date. 3/8/2019 12.30, due to reviewing discussions in mozilla.dev.security.policy. 2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done. 30/9/2016 Ballot 364 came into effect. The CP of Logius PKIoverheid already stipulated the use of 64-bit serial numbers and as such, no change was deemed necessary to the CP. Our CP (Programme of Requirements) is a baseline document, stating the absolute minimum. This ballot predates the incident which PKIoverheid had about serial numbers with one of her other TSP's in 2017 [1]. Measures which were taken then didn't apply retroactively. 3/8/2019 12.30 While reading MSDP the Logius PKIoverheid started an investigation if it was possible that her TSP's had this implementation/interpretation issue 3/8/2019 13.15 Logius PKIoverheid suspects that this issue could potentially impact one or more of the TSPs under PKIoverheid. Logius PKIoverheid asked the TSP KPN to launch an investigation if said issue was applicable to certificates issued by KPN. 3/11/2019 09:53 Logius PKIoverheid asked KPN for an update following statements from both Google and Mozilla representatives stating that in their view the matter as reported by several other CAs violates the BRG. 3/11/2019 16:55 KPN answers that this issue is potentially impacting all of their issued TLS certificates issued between September 30, 2016 and March 5, 2019. On March 5, 2019 KPN switched to using 96 bit serial numbers (already planned a while ago, this was not related to the current issue at hand). 3/12/2019 10:30 Due to the potential impact of revoking (and replacing) the PKIoverheid certificates from KPN issued in the period an incident is raised within Logius. KPN PKIoverheid certificates are in use by many Dutch government parties including the national ID system (DigiD), the tax services and Dutch customs. Because of this a crisis team is formed (also due to the fact that March/April is the month in which most tax returns need to be filed and the ever increasing change of a no-deal Brexit, which would greatly impact Dutch Customs) . 3/13/2019 12:00 Logius PKIoverheid orders KPN to further investigate which certificates are exactly affected and order KPN to revoke the certificates in question. 3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation. All certificates issued by KPN after March 5 08:30 are using 96-bit serial numbers. As mentioned this was a change unrelated to the current issue. As far as we know there are no TSPs within PKIoverheid other than KPN were up to recently issuing certificates with this issue. Further investigation is ongoing to see if there are possible historic issuance that might be impacted by this issue. We will post an update when we have more information. 4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued. Potentially 22.000 TLS certificates issued by KPN CAs https://crt.sh/?id=63094369 and https://crt.sh/?id=16678400. Also potentially ~350 EV certificate issued by CA https://crt.sh/?id=15971988. Investigation is still ongoing to which certificates are exactly affected. 5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. Still being collected. Will update when available. 6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. As stated in the timeline, the Programme of Requirements (PoR, CP) PKIoverheid already stipulated the use of a serial number with a 64-bit length. When ballot 264 went into effect, both the PA and the TSPs determined that PKIoverheid was already compliant. The conversations about the underlying thoughts or intent of the ballot were seen at the time but not taken into account when deciding the final impact. The final text of the ballot after it was passed was used to check if implementations were correct. In this case the TSP also relied on the configuration of EJBCA and assumed that this was the correct implementation (again, also based on their interpretation of the text). 7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. Still being worked on. The intention is to revoke all affected certificates within 30 days. Will update when we have more information. [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/W1D4oZ__BwAJ Kind regards, Jochem van den Berge CISSP Logius PKIoverheid Public Key Infrastructure for the Dutch government ........................................................................ Logius Ministry of the Interior and Kingdom Relations (BZK) Wilhelmina van Pruisenweg 52 | 2595 AN | The Hague PO Box 96810 | 2509 JE | The Hague ........................................................................ jochem.vanden.be...@logius.nl<mailto:jochem.vanden.be...@logius.nl> http://www.logius.nl<http://www.logius.nl/> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
