Dear Mozilla Community,
Over the past couple of months, a substantial number of compliance incidents have arisen in relation to Entrust. We have summarized these recent incidents in a dedicated wiki page: https://wiki.mozilla.org/CA/Entrust_Issues. In brief, these incidents arose out of certificate mis-issuance due to a misunderstanding of the EV Guidelines, followed by numerous mistakes in incident handling (including a deliberate decision to continue mis-issuance), which have been compounded by a failure to remediate the issues in a timely fashion in line with well-established norms and root store requirements.
Our preliminary assessment of these incidents is that while they were relatively minor initially, the poor incident response has substantially aggravated them and the progress towards full remediation remains unacceptably slow. This is particularly disappointing in light of previous incidents in 2020 (#1651481 and #1648472), which arose out of similar misunderstandings of the requirements, similar poor decision-making in the initial response, and lengthy remediation periods that fell well below expectations. Entrust gave commitments in those bugs to address the root problems through process improvements, and it is concerning to see so little improvement 4 years later.
In light of these recent incidents, we are requesting that Entrust produce a detailed report of them. This report should cover in detail:
The factors and root causes that lead to the initial incidents, highlighting commonalities among the incidents and any systemic failures;
Entrust’s initial incident handling and decision-making in response to these incidents, including any internal policies or protocols used by Entrust to guide their response and an evaluation of whether their decisions and overall response complied with Entrust’s policies, their practice statement, and the requirements of the Mozilla Root Program;
A detailed timeline of the remediation process and an apportionment of delays to root causes; and
An evaluation of how these recent issues compare to the historical issues referenced above and Entrust’s compliance with its previously stated commitments.
Finally, Entrust’s report should include a detailed proposal on how it plans to address the root causes of these issues. In light of previous guarantees given by Entrust in 2020 to ensure speedy remediation in future incidents, this proposal should include:
Clear and concrete steps that Entrust proposes to take to address the root causes of these incidents and delayed remediation;
Measurable and objective criteria for Mozilla and the community to evaluate Entrust’s progress in deploying these solutions; and
A timeline for which Entrust will commit to meeting these criteria.
We strongly recommend that Entrust go beyond their existing commitment to offer systematic, automated solutions for effective remediation, like ACME ARI and that it also include clear and measurable targets for the adoption of these tools by new and existing subscribers.
This report should be submitted to Mozilla dev-security-policy mailing list for evaluation by the community and Mozilla, who will weigh whether Entrust’s report presents a credible and effective path towards re-establishing trust in Entrust’s operation. Submission should be no later than June 7, 2024.
We thank community members for their engagement on these issues and look forward to their feedback on Entrust’s report and proposed commitments.
Thanks,
Ben Wilson
Mozilla Root Program
Invalid data in State/Province Field -
https://bugzilla.mozilla.org/show_bug.cgi?id=1658792
It was initially discovered that Entrust had issued 395 OV SSL certificates to a large international organization with “NA” for the state/province information. Entrust worked on a drop-down list to prevent the error. Certificate revocation would not occur within established timeframes, so Bug #1658794 for delayed revocation was opened.
Late Revocation for Invalid State/Province Issue -
https://bugzilla.mozilla.org/show_bug.cgi?id=1658794
This is the delayed revocation bug related to Bug #1658792,
above. Entrust said that when educating large institutions about rapid
revocation, factors include who owns a certificate, where it is deployed, and
the type of system or application that requires the certificate. It also said that it was advocating
automation with such institutions to help speed up certificate replacement and to
minimize human error.
EV TLS Certificate incorrect jurisdiction -
https://bugzilla.mozilla.org/show_bug.cgi?id=1802916
Entrust mis-issued 322 EV certificates with the wrong state
and locality jurisdiction fields due to complex data entry processes. Entrust implemented
a different automated dropdown system for jurisdiction selection. Certificate revocation
would not occur within established timeframes, so Bug #1804753 for delayed
revocation was opened.
Delayed Revocation for EV TLS Certificate incorrect jurisdiction -
https://bugzilla.mozilla.org/show_bug.cgi?id=1804753
This is the delayed revocation bug related to Bug #1802916, above. Entrust listed 8 Subscribers who were pushing back on immediate certificate revocation and the reasons given (e.g. extensions granted due to end-of-year freezes). Entrust committed to “continue to develop and extend methods for automatic certificate renewal.”
Jurisdiction Locality Wrong in EV Certificate -
https://bugzilla.mozilla.org/show_bug.cgi?id=1867130
Two EV TLS Certificates were mis-issued due to human error in the Jurisdiction Locality field. (The incident revealed 340 additional accounts needing similar updates.) Entrust said it would enhance its linting processes to include possibly using an external service to validate locality data against verified country data.
SHA-256 hash algorithm used with ECC P-384 key -
https://bugzilla.mozilla.org/show_bug.cgi?id=1648472
A Mozilla policy was adopted to require hashing with SHA-384 for an ECC P-384 key. Existing CAs using SHA-256 were not re-configured when Mozilla adopted this policy. This incident revealed a serious gap in taking new requirements and implementing them. Ryan Sleevi noted that linting was just a safety net and not a systemic solution. Entrust was also criticized for the lack of detail in its incident report and its decision to not revoke the certificates.
Entrust committed to improving its monitoring and implementation of policy changes to prevent similar incidents. Ryan set forth a number of proactive systemic corrections that Entrust needed to take, rather than taking a reactive stance on matters of non-compliance.
Entrust committed to rigorous review of certificate profiles, browser policy revisions, and industry developments. As a final comment, Ryan said, “My big concern is, going forward, we see incident reports from Entrust take a more systemic, holistic response, like Comment #16, to try and cover the scenarios, and to provide sufficient detail about the situation and its failures to understand how those relate. The goal isn't to make CAs wear proverbial sackcloth, it's to try and make sure we're understanding how things go wrong, so that we can effectively collaborate on identifying solutions to avoid that going forward.”
Late Revocation due to SHA-256 hash algorithm -
https://bugzilla.mozilla.org/show_bug.cgi?id=1651481
This bug is related to Bug #1648472. Entrust issued TLS certificates using ECC P-384 keys hashed with SHA-256, contrary to Mozilla policy requiring SHA-384 for hashing. Entrust’s initial decision was to allow certificates to expire naturally without revocation, but this was revised with a decision to revoke all affected certificates. Entrust committed to: filing incident report within one business day for future incidents, filing late revocation incident reports within the required 24 hours or 5 days, as applicable, and advising Subscribers about revocation within 24 hours or 5 days, or provide an explanation if they are unable to meet such timeframes. Entrust was told it needed to align its revocation procedures more closely with the Baseline Requirements and Mozilla’s policy, especially in providing a detailed rationale for any delays in revocation on a per-subscriber basis and ensuring timely revocation in line with the Baseline Requirements.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabu3a3FRyG4C%3DDdXDSAAMbdPVKApACYnE%2Be2tFCsdULSQ%40mail.gmail.com.
To Ben Wilson and the Mozilla Community:
I want to acknowledge your letter and the input from you and the community. We agree that we have go-forward opportunities to improve.
To that end, I want to confirm our intent to provide a full written response to you and the community prior to June 7. Until then, please contact me directly with additional questions or feedback.
Sincerely,
Chris Bailey
VP-Digital Certificates
Entrust
The CA software has a bug which encodes quotation marks in the organization field using PrintableString instead of UTF8String. This software has not been fixed at this time.
To that end, I want to confirm our intent to provide a full written response to you and the community prior to June 7.
a full written response to you and the community prior to June 7.
prior to June 7
O_______O
Date: Fri, 7 Jun 2024 12:53:10 -0700 (PDT) From: "'Bruce Morton' via dev-secur...@mozilla.org" <dev-secur...@mozilla.org> To: "dev-secur...@mozilla.org" <dev-secur...@mozilla.org> Cc: Ben Wilson <bwi...@mozilla.com> Subject: Re: Recent Entrust Compliance Incidents
On Sat, Jun 8, 2024 at 2:15 PM Mike Shaver <mike....@gmail.com> wrote:
>"It would mean that revenue from the financial disincentive that Entrust puts in place against Subscriber automation (I believe it's called "SUB-PKI-CEG-ACME")"
So for four years, while Entrust told us it was working to get its
subscribers to automate, it was using this as a revenue opportunity
thus continuing manual processes? There is no way to reconcile this
with any sort of commitment here on Entrusts part to getting
subscribers to automate.
Could Mozilla update the root store policy to make clear that
improvements like ACME shouldn't be extra cost items but instead
considered part of the service provided to customers.
> On Jun 8, 2024, at 18:16, Watson Ladd <watso...@gmail.com> wrote:
>
>
> Could Mozilla update the root store policy to make clear that
> improvements like ACME shouldn't be extra cost items but instead
> considered part of the service provided to customers.
I don’t have an opinion on this but as someone who at $dayjob has been forced to request non-acme certificates manually, let me assure you that any vendor requiring me to do that quickly gets pulled in the “vendors to migrate away from” list. Any CA preferring manual issuance over automated issuance is going to find itself out of business soon (as are vendors providing web services requiring their customers to send them certs once a year manually while promising to support acme “soon”)
I would caution against that. Effectively, Mozilla would be fiddling
with the market. The market should be the one to punish (or reward)
Entrust for the premiums on manual issuance, not Mozilla. When
subscribers get tired of paying too much for the service, the customer
will go elsewhere.
In my mind's eye, there are two things to observe. First is the
CA/Browser Standards ("what we do"), and second is the CA Operating
Procedures ("how we do it").
Apologies, I somehow managed to send white-on-white HTML from gmail mobile and I honestly have no idea how.
On Sat, Jun 8, 2024 at 9:48 PM Jeffrey Walton <nolo...@gmail.com> wrote:
> I would caution against that. Effectively, Mozilla would be fiddling
> with the market. The market should be the one to punish (or reward)
> Entrust for the premiums on manual issuance, not Mozilla. When
> subscribers get tired of paying too much for the service, the customer
> will go elsewhere.
Hey, uh, yeah…Mozilla sort of exists to “fiddle with the market” in ways that it feels protect the web’s users from the direction that The Market might otherwise take. It’s sort of “their thing”.
But that rather jarring dissonance aside, nobody is objecting to premiums on manual issuance. It is precisely the opposite: it is an objection to charging Subscribers *extra* for using *automated* tools that make the web safer (and which indeed should be cheaper for the CA to operate than a manual process, but you know how it is with rent seeking).
The CA’s primary responsibility is to the web’s users, not to its customers. They all know this. It can require that they not always optimize for short-term business outcomes, but if they are not comfortable with that *very* explicit tension, then this is not an appropriate business for them.
> In my mind's eye, there are two things to observe. First is the
> CA/Browser Standards ("what we do"), and second is the CA Operating
> Procedures ("how we do it").
I guess that is a way that these things could have evolved in a parallel universe, but you have perhaps noticed that the BRs already have many directions as to how things must be done. The BRs are in fact growing more such directions over time as it becomes increasingly clear that not all CAs can be trusted to do the things that are best for the health of the WebPKI; see the active discussion about linting practices in the SCWG, for example.
On Jun 8, 2024, at 23:53, Mike Shaver <mike....@gmail.com> wrote:The CA’s primary responsibility is to the web’s users, not to its customers.
That is an interesting view, possibly not shared by its shareholders or the legal framework of the countries they operate in.
All,
This is to acknowledge that we have received Entrust's June 7 Report regarding its non-compliance issues and associated remediation plans. Mozilla will thoroughly review the report and provide comments, requests for clarifications, and verify that the requested items have been and will be addressed in accordance with the request for the Report and the Action Items listed in Bugzilla Bug #1901270.
Our review process will include:
We will follow up with specific comments and requests for clarifications as needed.
Thank you for your attention to these important matters.
Ben
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ebea97dc-1871-4588-93b7-8fd97f50ec0cn%40mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaY7Bx30Ck4ZKRP4dKTBfmEqxLKiV6FZPvPN31AbLxWcZA%40mail.gmail.com.
Does this mean that the window has closed for feedback to Mozilla on the report and its responsiveness to the request?
Will requests for clarification be in this thread, the listed bug, or elsewhere?
Preferably here, but if the requests for clarification are structured in markdown in Bugzilla as replies to Comment 1, then that would be acceptable, too. Otherwise, general comments and critiques should be made here.
For efficiency, it is requested that comments and requests for clarification be collected into as few emails/posts as possible and not be posted in piecemeal fashion.
So far, we have received substantive comments and questions on Entrust’s June 7 Report from Amir, Wayne, and Watson.
Are others planning to submit comments or to request clarification and additional information from Entrust?
Thanks,Ben