CA/e-commerce-monitoring Issues
This page lists recent (May-June 2024) bugs involving the CA operator e-commerce monitoring (ECM). This list of issues is not comprehensive. It will be updated by Mozilla if needed, but please do not edit this page yourself. If you have proposed changes, post them to the Mozilla dev-security-policy list or email them to certificates@mozilla.org.
Contents
SCT in precertificate
https://bugzilla.mozilla.org/show_bug.cgi?id=1815534
The certificate transparency (CT) component of ECM’s CA software was misconfigured and lacked internal controls (allowing the creation of a CT pre-certificate containing an SCT), and it was not updated to accommodate URL changes. ECM did not revoke the mis-issued pre-certificate within 5 days. ECM’s incident reporting did not meet expected standards of detail and clarity. The incident report did not adequately address root causes or clearly explain corrective measures or their effectiveness in preventing future incidents. See Comment #30. There was significant delay (nearly 3 months) in responding to a request for an updated incident report. See Comment #37.
Issues: Certificate Misissuance; Incident Reporting; Incident Response; Delayed Revocation
Certificate issued with two pre-certificates
https://bugzilla.mozilla.org/show_bug.cgi?id=1830536
Related to Bug #1815534, it was also discovered that in an attempt to obtain a sufficient number of SCTs, ECM’s CT component submitted two pre-certificates for a single final certificate (all with the same serial number). These two incidents exposed a lack of internal verification processes and automated checks for changes to CT log servers. ECM noted that "certificate transparency has brought a new dimension as described in the present report – the fact that also an assumed-to-exist-certificate is in scope by virtue of Mozilla Root Store Policy 5.4. This had not been properly taken into account in our interpretation and measures, respectively." Comment #1
Issues: Certificate Misissuance; Incident Reporting
Delayed Revocation
https://bugzilla.mozilla.org/show_bug.cgi?id=1862004
Related to Bug # 1815534, it took ECM 13 days to ask whether revocation was necessary, and then actual revocation took place 51 days after initial notification. This bug was opened because of the delayed revocation (as noted here https://bugzilla.mozilla.org/show_bug.cgi?id=1815534#c12 and here - https://bugzilla.mozilla.org/show_bug.cgi?id=1815534#c20). ECM was asked to provide "an analysis to determine the factors that prevented timely revocation of the certificates, and include a set of remediation actions in the final incident report that aim to prevent future revocation delays." It was also noted that the CCADB website provides a recommended incident reporting template. Generally, ECM has not met community expectations for incident reporting because it has focused on operational details without tackling systemic, root cause issues or “lessons learned”, which would help ECM and others improve their compliance. Commenters in the bug also asked for action items to prevent delayed revocation in the future, better awareness of industry requirements, better incident reporting, and more thorough management of CP and CPS documentation.
Issues: Delayed Revocation; Incident Reporting; Policy Documentation
Precertificate validity does not match leaf certificate
https://bugzilla.mozilla.org/show_bug.cgi?id=1883711
ECM became aware that it had created a pre-certificate and corresponding final certificate with different validity periods. It noted the problem, and revoked both the pre-certificate and the final certificate, however ECM selected an incorrect value for the revocationReason CRL extension. More than a month went by without acknowledging the misissuance and attempting to remediate the underlying causes. ECM discovered a bug in their system that caused the mismatched validity periods when the pre-certificate and final certificate are not issued on the same day. ECM’s incident reporting did not disclose a second occurrence related to the issue. ECM was asked several follow-up questions about the incident report. Some questions were not promptly answered because ECM apparently lacks adequate personnel to provide more timely answers. The bug also reveals that ECM needs better communication, incident reporting and incident management in order to increase transparency and community trust.
Issues: Certificate Misissuance; Incident Reporting; Incident Handling; Insufficient Staffing
CRLs with mismatched issuer
https://bugzilla.mozilla.org/show_bug.cgi?id=1888371
ECM issued CRLs with issuer names that were not byte-for-byte identical to the names in the issuer fields of the certificates. The timeline for remediation of this issue was unacceptably long, which highlighted the concern that ECM was incapable of handling critical CA operations because of inadequate resource allocation.
Issues: CRL Failure; Incident Reporting; Incident Handling; Insufficient Staffing
Failure to follow incident report requirements
https://bugzilla.mozilla.org/show_bug.cgi?id=1893546
This bug was opened to record ECM’s delayed responses, inadequate incident reporting, and overall non-compliance with reporting requirements. The root causes for these failures appear to include, but not be limited to, inadequate staffing and management changes. [Note: ECM claims that it will take action by increasing staffing, improving monitoring and alerting tools, providing additional training and reviews, and improving overall compliance and operational practices, but there is doubt due to a lack of detail concerning the timely and effective implementation of such actions.]
Issues: Incident Reporting; Incident Handling; Insufficient Staffing