AC Camerfirma's undisclosed itermediate certificates incident report

Hello,


1) How your CA first became aware of the problem (e.g. via a problem report=
 submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev=
..security.policy, a Bugzilla bug, or internal self-audit), and the time and=
 date.
=20
We receive a communication via Buzilla from Wayne Thayer (https://bugzilla.=
mozilla.org/show_bug.cgi?id=3D1455147) on 2018-07-30 16:31:25 PDT). Wayne, =
thanks once again.
=20
2) A timeline of the actions your CA took in response. A timeline is a date=
-and-time-stamped sequence of all relevant events. This may include events =
before the incident was reported, such as when a particular requirement bec=
ame applicable, or a document changed, or a bug was introduced, or an audit=
 was done.
=20
The task about disclose the first CA certificate (https://crt.sh/?sha256=3D=
1defd59846cc2049ba1f1a74d3a8329d1357a2d47c1e1b0c15c27a8c60295455&opt=3Dmozi=
lladisclosure) was identified and planned prevouisly and it must be done on=
ce the certificate was issued on Jun 29 10:27:17 2018 GMT  =20
=20
The second CA certificate (https://crt.sh/?sha256=3D06a57d1cd5879fba2135610=
dd8d725cc268d2a6de8a463d424c4b9da89848696&opt=3Dmozilladisclosure) was issu=
ed on Jul 3 12:01:18 2018 GMT.
=20
We=E2=80=99ve failed to perform the task about disclose the CAs into CCADB.

We've disclosed these certificates on July the 31th.
=20
6) Explanation about how and why the mistakes were made or bugs introduced,=
 and how they avoided detection until now.

The procedure established to publish the CAs into CCADB wasn't correct caus=
e it didn=E2=80=99t foresee the contingency of the person in charge of disc=
losing CA=E2=80=99s certificates into CCADB and the person acting as a back=
up weren=E2=80=99t available.

7) List of steps your CA is taking to resolve the situation and ensure such=
 issuance will not be repeated in the future, accompanied with a timeline o=
f when your CA expects to accomplish these things.

We're adding a third person as a point of contact into CCADB. We've already=
 done the request and the person already has the necessary knowledge to man=
age this task.


Juan Angel 
0
martin_ja
8/2/2018 1:19:42 PM
mozilla.dev.security.policy 1337 articles. 2 followers. Post Follow

0 Replies
34 Views

Similar Articles

[PageSpeed] 28

Reply: