Difference between revisions of "CA/Lessons Learned"
From MozillaWiki
< CA
(Initial table for "Lessons Learned" wiki page.) |
m (Saving edits) |
||
| Line 8: | Line 8: | ||
! style="width: 70%;" | Mitigation Strategies | ! style="width: 70%;" | Mitigation Strategies | ||
|- | |- | ||
| − | | General Issues of Non-Compliance | + | | General Issues of Non-Compliance |
| − | | | + | | audits and reviews; training; automated compliance tools |
|- | |- | ||
| − | | Certificate Profile Errors | + | | Certificate Profile Errors |
| − | | Use standardized templates; | + | | Use standardized templates ; profile validation |
|- | |- | ||
| − | | Duplicate Serial Numbers | + | | Duplicate Serial Numbers |
| − | | Unique serial number generation; database checks | + | | Unique serial number generation; database checks |
| + | |||
|- | |- | ||
| − | | | + | | Serial Number Entropy |
| − | | | + | | ; follow cryptographic best practices |
|- | |- | ||
| − | | Improper Key Usage | + | | Improper Key Usage |
| − | | | + | | ; |
|- | |- | ||
| − | | Invalid CN/SAN Entries | + | | Invalid CN/SAN Entries |
| − | | | + | | ; automated checks for CN and SAN matching |
|- | |- | ||
| − | | Invalid Certificate Extensions/Non-Standard Extensions | + | | Invalid Certificate Extensions/Non-Standard Extensions |
| − | | | + | | extensions; |
|- | |- | ||
| − | | Invalid OrganizationIdentifier | + | | Invalid OrganizationIdentifier |
| − | | | + | | validation processes ; |
|- | |- | ||
| − | | Overly Long Certificate Lifetimes/Validity Periods | + | | Overly Long Certificate Lifetimes/Validity Periods |
| − | | | + | | maximum validity periods ; |
|- | |- | ||
| − | | Use of Deprecated Algorithms | + | | Use of Deprecated Algorithms |
| − | | Stay | + | | Stay with approved algorithms ; checks |
|- | |- | ||
| − | | Wildcard Mis-issuance | + | | Wildcard Mis-issuance |
| − | | | + | | encoding ; |
|- | |- | ||
! colspan="2" style="text-align:left;" | Incorrect Certificate Subject Details | ! colspan="2" style="text-align:left;" | Incorrect Certificate Subject Details | ||
Revision as of 04:21, 30 June 2024
|
THIS PAGE IS A WORKING DRAFT | 
|
| The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly. If you have any questions or ideas, please add them as a new topic on the discussion page. |
| Incorrect Certificate Profiles and Misconfigured Certificates | |
|---|---|
| Compliance Issue or Root Cause | Mitigation Strategies |
| General Issues of Non-Compliance (e.g. certificates that do not comply with CA/B Forum requirements or Mozilla Policy) | Closely monitor changes in requirements; conduct regular audits and reviews; provide training; implement automated compliance tools |
| Certificate Profile Errors (see below - certificates issued with profiles not adhering to requirements, certificates with incorrect Subject attribute order, incorrect key usages, etc.) | Use standardized templates that have been validated against CABF and Mozilla requirements; automate the profile validation process |
| Duplicate Serial Numbers Bug #s 1636140, 1677737 | Unique serial number generation; database checks; eliminate the potential that certificate orders remain in the issuance queue when re-starting or re-configuring CA systems; generate the final certificate immediately upon receipt of the SCTs; |
| Insufficient Serial Number Entropy Numerous bugs | Check entropy with pre-issuance linting; specify more entropy than is required; follow cryptographic best practices; keep CA software up to date; test CA software for compliance with requirements; provide developers with training on the proper calculation of entropy; |
| Improper Key Usage Bug #s 1756122, 1647468, 1667448, 1703528 | Pre-issuance linting; check keyUsage configuration in certificate profiles using automated tools; review section 7 of the Baseline Requirements; implement dual control for certificate template changes; |
| Invalid CN/SAN Entries Bug #s 1687139, 1705187, 1716123, 1462423, 1897346 | Pre-issuance linting; implement automated checks for CN and SAN matching; conduct code review and system testing; |
| Invalid Certificate Extensions/Non-Standard Extensions Bug #s 1899466, 1876565, 1498463, 1524451 | Implement strict validation processes to detect and reject non-standard extensions; stay updated on revisions to requirements; implement pre-issuance linting; |
| Invalid OrganizationIdentifier Bug #s 1897538, 1898986, 1769240, 1900492 | Write detailed specifications; conduct code review; improve training and internal communications; improve linting; update validation scheme logic; replace manual processes with automation; |
| Overly Long Certificate Lifetimes/Validity Periods Bug #s 1826713, 1774418, 1676352 | Keep certificate profile management system updated; review certificate profiles on system startup; implement pre-issuance linting; set maximum validity periods to much less than that allowed by the requirements; don’t give credits for early certificate renewals; |
| Use of Deprecated or Incorrect Algorithms Bug #s 1648472, 1793441, 1664328, | Stay up-to-date with approved algorithms listed in requirements; conduct detailed certificate profile checks, and use automation where feasible; update system logic so that it selects the correct algorithm; implement pre-issuance linting; |
| Wildcard Mis-issuance Bug #s 1446121, 1528263, 1782391, 1731939, | Block wildcards in EV certificates; ensure proper syntax and ASN.1 encoding per RFC 5280; implement pre-issuance linting; |
| Incorrect Certificate Subject Details | |
| Invalid Organization Information | Implement stringent validation; cross-check with authoritative databases |
| Incorrect Address Fields | Automated address validation; regular audits |
| Insufficient Domain Validation | |
| Improper Domain Validation Methods | Enforce use of approved methods; regular training |
| CAA-based Misissuances | Automated CAA record checks; establish error handling procedures |
| Certificates for Unregistered Domains | Implement strict verification processes; automated cross-checks |
| Insufficient Validation | Strengthen validation procedures; enforce strict policies |
| Failure to Revoke and Revocation Delays | |
| Delayed Revocations | Automated revocation systems; continuous monitoring |
| Failure to Revoke Compromised Certificates | Establish immediate action policies; develop and test incident response plans |
| Revocation within 7 Days | Implement monitoring tools; automated notifications |
| Delayed Revocation of End Entity Certificates | Streamline processes; implement automated systems |
| Disclosure Failures | |
| Delayed, Incomplete, or Failed Disclosure of Intermediate CA Certificates in the CCADB | Use automated tools for timely disclosure; regular audits |
| CRL and OCSP Failures | |
| Unavailable CRLs | Implement redundant systems; regular monitoring |
| OCSP Service Outages | Deploy high availability solutions; monitoring and alerts |
| Incorrect OCSP Responses | Implement automated response validation; regular compliance checks |
| Expired, incorrect, or non-compliant OCSP Responder Certificates | Use automated management tools; regular audits |
| Expired or Invalid CRLs | Implement automated CRL management; regular audits |
| Mismatch Between CA and CRL or OCSP | Implement consistency checks; automated synchronization |
| Policy and Practice Failures | |
| Invalid or Incomplete CP or CPS Updates | Schedule regular updates; involve stakeholders in review process |
| Erroneous information in CP or CPS | Implement validation processes; conduct peer reviews |
| Delayed Responses to Problem Reports | Establish clear response time policies; use automated ticketing systems |
| Audit Issues, Delays, and Failures | |
| Delayed Audit Statements | Implement strict audit scheduling; monitoring and alerts |
| Audit Letter Validation Failures | Strengthen validation processes; regular reviews |
| Missing Audit Information | Ensure comprehensive audits; use audit checklists |
| Lack of Auditor Qualifications | Ensure auditors are qualified and certified; provide regular training |
| Test Certificates | |
| Expired Test Certificates | Implement test certificate management tools; regular audits |
| Issuance of Test Certificates | Ensure compliance with standards; use automated systems |
| Internal Security Issues | |
| Firewall Log Issues | Implement robust log management systems; regular audits |
| Improper Access Control | Establish strict access control policies; regular reviews |
