Action on Camerfirma Root CAs

704 views
Skip to first unread message

Ben Wilson

unread,
Feb 4, 2021, 2:48:58 PMFeb 4
to mozilla-dev-security-policy
All,

Thank you for your continued participation in this discussion, and for
those of you who have provided very thoughtful comments.



As many of you have pointed out, there do not appear to be remediation
actions that Camerfirma can take at this time to sufficiently reduce the
risk of continuing to keep the Websites trust bit enabled for the
Camerfirma root certificates. Note that Camerfirma has indicated to us that
they are exiting the TLS certificate business.

The things that have stood out to me and Kathleen regarding Camerfirma’s
issues are:

-

Camerfirma has not demonstrated an ability to keep up with the
CA/Browser Forum’s updates to the Baseline Requirements and continues to
miss Effective Dates. (
https://wiki.mozilla.org/CA:Camerfirma_Issues#Issue_VV:_Certificates_without_CABForum_OV_Reserved_Policy_Identifier_.28Jan._2021.29
)
-

A significant number of the issues that have been documented were caused
by Camerfirma’s unconstrained subordinate CAs.
-

There is an unresolved gap in audit periods (
https://wiki.mozilla.org/CA:Camerfirma_Issues#Issue_JJ:_Unresolvable_Gap_in_Audits_.28Camerfirma.29_.282018_-_2019.29
)
-

Incidents / Compliance Bugs did not appear to be handled with urgency,
in regard to providing status and updates about how the CA was responding
to each incident and what actions they were taking to ensure that each
mistake would not be repeated in the future.
-

Root cause analysis results were not shared in a timely manner.
-

Questions were not answered quickly or with sufficient detail.
-

Incident reports were delayed.

Given the foregoing, we intend to turn off the Websites trust bit for the
following root certificates in our upcoming batch of changes to Mozilla’s
root store, which is expected to happen in Firefox 88 (
https://wiki.mozilla.org/Release_Management/Calendar):

- Chambers of Commerce Root - 2008 - https://crt.sh/?id=409684

- Global Chambersign Root - 2008 - https://crt.sh/?id=1044840

The Email (S/MIME) trust bit will continue to be enabled for these two root
certificates. In this regard, we ask Camerfirma to share with the community
its 2020 audit report and scope of audit controls that cover issuance and
management of S/MIME certificates, provide a migration plan for the older
2003 roots (see below), and provide an Improvement Action Plan.

We also intend to set the “Distrust for S/MIME After Date” to March 1,
2021, for the following older root certificates and request that Camerfirma
send us the number of valid certificates in their hierarchies and when they
expire:

- Chambers of Commerce Root - https://crt.sh/?id=1251

- Global Chambersign Root - https://crt.sh/?id=10249844
<https://crt.sh/?id=10249844>

We previously denied inclusion of Camerfirma’s 2016 root certificates, and
we uphold that decision --
https://bugzilla.mozilla.org/show_bug.cgi?id=986854#c62. As Wayne said in
the discussion (
https://groups.google.com/g/mozilla.dev.security.policy/c/skev4gp_bY4/m/GFpBHH63CQAJ
): “AC Camerfirma is welcome to submit a new inclusion request for a newly
generated root using a new key pair. “

Cross-signing of Camerfirma’s root certificates by another root in
Mozilla’s root store will only be acceptable after Camerfirma has completed
an Improvement Action Plan, and after section 8 of Mozilla’s root store has
been satisfied.

Also, before requesting inclusion of any new root certificates, Camerfirma
will need to complete said Improvement Action Plan to demonstrate that past
problems have been resolved and will not be repeated, and that the CA is
following best practices for operation and issuance of certificates.

Camerfirma will provide:

1) Its 2020 audit report

2) The scope document of controls audited for the 2008 roots

3) A migration plan for the older roots

4) An Improvement Action Plan

Regards,

Ben and Kathleen

Kathleen Wilson

unread,
Feb 10, 2021, 7:28:28 PMFeb 10
to mozilla-dev-s...@lists.mozilla.org
I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1692094 to turn off
the Websites trust bit for the 2008 root certs, and to set the "Distrust
for S/MIME After Date" for the older root certs.

Thanks,
Kathleen
Reply all
Reply to author
Forward
0 new messages