Hello Ryan,
In the design of this template, one of the concerns was about understanding *how* a problem happened, not just how a CA responded. This is why it includes text such as "This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done." 1) When were the policy templates introduced We are using Verizon UniCERT PKI software. Policy or templates are integral part of the software and they exists there all along. 2) When were the policy templates reviewed All policies/templates were reviewed right after the incident occurred. We have also added procedural step for periodic certificate policy templates validation. 3) What are the templates review practices. We have added dual CAO control for modifying policy template which requires the presence of 2 CAO's (Certification Authority Operators) All policies/templates are reviewed against the purpose of given policy and CP/CPS. 4) What controls, if any, exist to ensure that all templates are appropriate to the controls? We have started process of implementing pre-issuance linting just after email pointing our misissuance. We have requested pre-issuance linting functionality/patch with high priority from Verizon UniCERT. We will implement post-issuance linting with crt.sh as well. Best regards, Piotr Grabowski ________________________________ Od: Ryan Sleevi <[email protected]> Wysłane: wtorek, 9 października 2018 02:25:27 Do: Grabowski Piotr DW: mozilla-dev-security-policy Temat: Re: 46 Certificates issued with BR violations (KIR) On Mon, Oct 8, 2018 at 11:25 AM piotr.grabowski--- via dev-security-policy <[email protected]<mailto:[email protected]>> wrote: Here's the incident report: 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, via a discussion in mozilla.dev.security.policy, or via a Bugzilla bug), and the date. Email from Wayne Thayer Oct 1, 2018 2. A timeline of the actions your CA took in response. A. Oct 2, 2018 - Investigation began. B. Oct 4, 2018 - Found impacted certificate policy templates. C Oct 4, 2018 - All the certificates owners were contacted and agreed on issuance new BR compliant certificates in time convenient for them, preferably not later than by the end of this year and revocation current ones. D. Oct 8, 2018 - Fixed impacted certificate policy templates. E. Oct 8, 2018 - This disclosure. Can you please re-review https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report ? In the design of this template, one of the concerns was about understanding *how* a problem happened, not just how a CA responded. This is why it includes text such as "This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done." 1) When were the policy templates introduced 2) When were the policy templates reviewed 3) What are the templates review practices 4) What controls, if any, exist to ensure that all templates are appropriate to the controls? The misconfiguration of certificate policy templates is a significant incident, precisely because there have been significant CA misissuances as a result of it. In this regard, a CA that is misconfiguring policy templates is arguably as negligent as one failing to perform domain validation - this is an incredibly significant mistake by a CA. A responsible CA seeking continued trust in their certificates would thus want to demonstrate that they understood how significant this was, and provide detailed descriptions about the timeline of events and the controls and practices they have in place to mitigate the risk of template misconfiguration. Anything short of that is gross negligence on behalf of a CA. [logo] Krajowa Izba Rozliczeniowa S.A., zarejestrowana w Sądzie Rejonowym dla m. st. Warszawy, XIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod nr KRS 0000113064, NIP 526-030-05-17, REGON 012105474, kapitał zakładowy i wpłacony 5.445.000 zł Informacja zawarta w tej korespondencji jest przeznaczona tylko dla osoby lub jednostki, do której jest adresowana. Może ona zawierać zastrzeżone i poufne informacje i jeżeli to nie Państwo są wskazanym odbiorcą, nie można kopiować, rozpowszechniać lub podejmować żadnych czynności w oparciu o nią. W przypadku otrzymania tej korespondencji przez pomyłkę, proszę powiadomić nadawcę za pomocą emaila zwrotnego i usunąć tę korespondencję (wraz z załącznikami) z Państwa systemu. The information contained in this transmission is intended only for the individual or entity to whom it is addressed. It may contain privileged and confidential information and if you are not an indicated recipient, you must not copy, distribute or take any action in reliance on it. If received in error, please notify the sender by return email and delete his transmission (and any attachments) from your system. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
