I would like to highlight the many examples of Certinomis' poor incident response.
Sometimes Certinomis ignores problems entirely - for example, in <https://bugzilla.mozilla.org/show_bug.cgi?id=1524103#c5>, a misissued certificate is still unrevoked and unacknowledged three months after being reported. Other times, they respond with very sparse details, for example <https://bugzilla.mozilla.org/show_bug.cgi?id=1551357#c3> from yesterday. Most of the time Certinomis appears to copy and paste the list of problematic certificates that were reported to them instead of performing their own investigation. In some cases additional problematic certificates are later discovered that they missed - for example <https://bugzilla.mozilla.org/show_bug.cgi?id=1524103#c4> from this year and <https://bugzilla.mozilla.org/show_bug.cgi?id=1496088#c9> from last year. The worst example is <https://bugzilla.mozilla.org/show_bug.cgi?id=1551390> from yesterday, in which Certinomis didn't even examine the full list of problematic certificates that were reported to them. I reported 174 certificates with an OCSP status of "unknown." In their incident response, Certinomis stated that their "Web CA" issuer doesn't suffer from this problem, even though seven of of the certificates in my report were issued from this CA. Furthermore, between the time of my report and Certinomis' response, two additional certificates were issued from "Web CA" with an unknown OCSP status. Neither was included in Certinomis' response - instead, Certinomis just linked to the list I provided them. As recently as last month, Certinomis blamed human error in their incident response, stating that issuing certificates to unregistered domains was "a single human error not a systemic issue" <https://bugzilla.mozilla.org/show_bug.cgi?id=1544933#c1>, even though the fact that human error is possible is the systemic issue, and even though this incident was far from the first time Certinomis had issued certificates without doing domain validation. On May 6, 2019, François CHASSERY stated: "I confirm that pre-issuance linting is now operationnal." <https://bugzilla.mozilla.org/show_bug.cgi?id=1539531#c8> On the basis of that response, <https://bugzilla.mozilla.org/show_bug.cgi?id=1539531> and <https://bugzilla.mozilla.org/show_bug.cgi?id=1542793> were resolved. However, on May 13, 2019, Certinomis issued four certificates with an invalid DNS SAN (lrcopro.), which is trivially detectable by linting: <https://bugzilla.mozilla.org/show_bug.cgi?id=1551357> In response, Certinomis stated that pre-issuance linting is actually only operational under two of their issuing CAs, "Web CA" and "Safe CA". Therefore, pre-issuance linting was never fully operational at Certinomis, and it was misleading for them to state "pre-issuance linting is now operationnal." This, combined with the incomplete remediation last year in <https://bugzilla.mozilla.org/show_bug.cgi?id=1496088#c20>, calls into question any other remediation which they claim has been completed. A CA that performs bad incident response will be unable to correctly fix problems because they will fail to identify the full scope of the issue or identify the root cause that needs to be fixed. I believe the evidence shows that Certinomis performs very poor incident response, and continues to do so despite the new technical management. They are therefore unlikely to improve and will remain a risk to Firefox users. They should be distrusted. Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
