Hi Rob,
Thank you for the comprehensive survey and for clearly communicating your findings.
In response to your questions, and from the perspective of the Chrome Root Program:
1. Is a CA's incident report expected to disclose the affected certificates that have already expired prior to the CA's response to the incident?
We see disclosing the full set of affected certificates, regardless of whether they have expired or have been revoked, as presenting the community with the most complete perspective of an incident’s impact. This is our preferred approach.
2. Is a CA's incident report expected to disclose the affected certificates that have already been revoked prior to the CA's response to the incident?
Yes, similar to the previous question, our preference is to collect the most complete perspective possible.
3. Is a CA's incident report expected to disclose both an affected precertificate and its corresponding certificate? Or just one of the pair?
You raise an opportunity for improvement. Historically, a list of precertificates was considered acceptable. However, having both precertificates and final certificates provides a more comprehensive perspective, which we consider favorable.
We appreciate other thoughts and perspectives.
Additionally, we’ll plan to sync on these opinions with the other members of the CCADB Steering Committee, which could ultimately lead to an update of https://www.ccadb.org/cas/incident-report.
Thanks again!
-Chris
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/MW4PR17MB47290848C0FE089BD12FA77AAA002%40MW4PR17MB4729.namprd17.prod.outlook.com.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mCwjzphmV3r-W%3DoSyGiGXdoBqhvcvnCyMkSogiq0%2BTthQ%40mail.gmail.com.
Hi Aaron,
You raise some excellent points. Thanks for your feedback. It seems like (1) we generally agree on a goal of providing the most complete set of data possible, and (2) there’s an opportunity to balance our desires for the completeness, usefulness, and practicality of the certificate data in question.
With this community’s help (especially yours), the CCADB Steering Committee launched an updated Incident Report Template in October 2023. Though this template has only been in use for a short while, we believe there are opportunities to further promote consistency and transparency in Incident Reporting.
One enhancement idea was to include a bulleted list of specific questions that would better guide responses for all given sections rather than the current free-form response approach based on some of the section descriptions on CCADB.org (i.e., the Impact section). The Impact and Appendix sections are similar in that they intend to describe the size and nature of the incident, and it's possible an enhancement to one can benefit the other.
For example, the “Impact" section could be transformed…
From (current): “The Impact section should contain a short description of the size and nature of the incident. For example: how many certificates, OCSP responses, or CRLs were affected; whether the affected objects share features (such as issuance time, signature algorithm, or validation type); and whether the CA Owner had to cease issuance during the incident.”
To (illustrative): something like the following (intends to describe fields and expected responses)…
Total number of pre-certificates: [if applicable, the total count of pre-certificates affected by the issue(s) described in this incident report, including expired and revoked pre-certificates]
Total number of certificates: [if applicable, the total count of "final" certificates affected by the issue(s) described in this incident report, including expired and revoked certificates]
Total number of "remaining valid" certificates: [if applicable, the total count of "final" certificates affected by the issue(s) described in this incident report, minus expired and revoked certificates. Minimally, this set of certificates MUST be disclosed in the Appendix section of this report.]
Incident heuristic: [if applicable, EITHER: (a) describe a heuristic that would allow a third-party to assemble the full corpus of affected certificates, if not provided in the Appendix (e.g., "Any certificate containing policy OID 1.2.3.4.5.6 and issued between 11/13/2024 and 4/11/2024 is affected by this incident. Certificates that have been revoked or are expired are omitted from the certificate list disclosed to the Appendix.") --- (b) clearly explain why this isn't possible (e.g., "This incident affected every certificate issued between 5/25/2023 and 6/15/2024 that relied upon BR Validation Method 3.2.2.4.19. Because the relied upon validation method is not described in a certificate, this heuristic cannot be used by a third-party to assemble the full corpus of affected certificates. Certificates that have been revoked or expired have been omitted from the certificate list disclosed to the Appendix.), --- or (c) the full corpus of affected certificates are disclosed in the Appendix.]
Was issuance stopped in response to this incident, and why or why not?: [yes/no - explanation (e.g., "Yes. As described in the incident timeline, we stopped issuance after learning of this issue to correct the corresponding certificate profile.")]
This is just an example, and we might need to more thoughtfully consider incidents that don’t involve certificates before it can be considered for adoption. What’s helpful to us, though, is that this proposed approach can more consistently describe the impact of an incident - while also possibly offering a balance between our desire for completeness (i.e., satisfied by counts and a clear description of an incident heuristic) and practicality (only requiring disclosure of the “remaining valid" certificates in the Appendix). There might be unexpected benefits from this approach, for example, the heuristic may make it easier for other CA Owners to evaluate whether they share the same issue being reported.
We’re interested in your feedback, and that of other community members, in how this might help better define community expectations - and further improve the incident reporting process.
Thanks,
Ryan
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAEmnErci%2ByV6A9LDioRJWyeXUobMpRo3_G4pP4eymTb1d%3DB_Kw%40mail.gmail.com.
Are the challenges with acquiring a full list of affected certificates
applicable only to expired certificates, or also unexpired certificates?
What makes your database for expired certificates less easily-queryable?
Does it require additional staff time to query, or is it just a matter
of waiting for a query to complete?
How much longer would incident response and remediation take if you had
to query your last 2 years of expired and unexpired certificates, as
opposed to only unexpired certificates?
In particular, every precertificate implies the existence of a corresponding final certificate whether the CA says they issued it or not. Treating final certificates and precertificates as equivalent during incident reporting reinforces this rather important facet of CT. Treating them differently may give the impression that "precertificate misissuance" is less bad than "certificate misissuance", a corrosive idea that CAs have repeatedly tried to exploit.