Difference between revisions of "CA/Lessons Learned"
From MozillaWiki
< CA
(Initial table for "Lessons Learned" wiki page.) |
m (Saving edits) |
||
Line 8: | Line 8: | ||
! style="width: 70%;" | Mitigation Strategies | ! style="width: 70%;" | Mitigation Strategies | ||
|- | |- | ||
− | | General Issues of Non-Compliance | + | | General Issues of Non-Compliance |
− | | | + | | audits and reviews; training; automated compliance tools |
|- | |- | ||
− | | Certificate Profile Errors | + | | Certificate Profile Errors |
− | | Use standardized templates; | + | | Use standardized templates ; profile validation |
|- | |- | ||
− | | Duplicate Serial Numbers | + | | Duplicate Serial Numbers |
− | | Unique serial number generation; database checks | + | | Unique serial number generation; database checks |
+ | |||
|- | |- | ||
− | | | + | | Serial Number Entropy |
− | | | + | | ; follow cryptographic best practices |
|- | |- | ||
− | | Improper Key Usage | + | | Improper Key Usage |
− | | | + | | ; |
|- | |- | ||
− | | Invalid CN/SAN Entries | + | | Invalid CN/SAN Entries |
− | | | + | | ; automated checks for CN and SAN matching |
|- | |- | ||
− | | Invalid Certificate Extensions/Non-Standard Extensions | + | | Invalid Certificate Extensions/Non-Standard Extensions |
− | | | + | | extensions; |
|- | |- | ||
− | | Invalid OrganizationIdentifier | + | | Invalid OrganizationIdentifier |
− | | | + | | validation processes ; |
|- | |- | ||
− | | Overly Long Certificate Lifetimes/Validity Periods | + | | Overly Long Certificate Lifetimes/Validity Periods |
− | | | + | | maximum validity periods ; |
|- | |- | ||
− | | Use of Deprecated Algorithms | + | | Use of Deprecated Algorithms |
− | | Stay | + | | Stay with approved algorithms ; checks |
|- | |- | ||
− | | Wildcard Mis-issuance | + | | Wildcard Mis-issuance |
− | | | + | | encoding ; |
|- | |- | ||
! colspan="2" style="text-align:left;" | Incorrect Certificate Subject Details | ! colspan="2" style="text-align:left;" | Incorrect Certificate Subject Details |
Revision as of 04:21, 30 June 2024
Incorrect Certificate Profiles and Misconfigured Certificates | |
---|---|
Compliance Issue or Root Cause | Mitigation Strategies |
General Issues of Non-Compliance (e.g. certificates that do not comply with CA/B Forum requirements or Mozilla Policy) | Closely monitor changes in requirements; conduct regular audits and reviews; provide training; implement automated compliance tools |
Certificate Profile Errors (see below - certificates issued with profiles not adhering to requirements, certificates with incorrect Subject attribute order, incorrect key usages, etc.) | Use standardized templates that have been validated against CABF and Mozilla requirements; automate the profile validation process |
Duplicate Serial Numbers Bug #s 1636140, 1677737 | Unique serial number generation; database checks; eliminate the potential that certificate orders remain in the issuance queue when re-starting or re-configuring CA systems; generate the final certificate immediately upon receipt of the SCTs; |
Insufficient Serial Number Entropy Numerous bugs | Check entropy with pre-issuance linting; specify more entropy than is required; follow cryptographic best practices; keep CA software up to date; test CA software for compliance with requirements; provide developers with training on the proper calculation of entropy; |
Improper Key Usage Bug #s 1756122, 1647468, 1667448, 1703528 | Pre-issuance linting; check keyUsage configuration in certificate profiles using automated tools; review section 7 of the Baseline Requirements; implement dual control for certificate template changes; |
Invalid CN/SAN Entries Bug #s 1687139, 1705187, 1716123, 1462423, 1897346 | Pre-issuance linting; implement automated checks for CN and SAN matching; conduct code review and system testing; |
Invalid Certificate Extensions/Non-Standard Extensions Bug #s 1899466, 1876565, 1498463, 1524451 | Implement strict validation processes to detect and reject non-standard extensions; stay updated on revisions to requirements; implement pre-issuance linting; |
Invalid OrganizationIdentifier Bug #s 1897538, 1898986, 1769240, 1900492 | Write detailed specifications; conduct code review; improve training and internal communications; improve linting; update validation scheme logic; replace manual processes with automation; |
Overly Long Certificate Lifetimes/Validity Periods Bug #s 1826713, 1774418, 1676352 | Keep certificate profile management system updated; review certificate profiles on system startup; implement pre-issuance linting; set maximum validity periods to much less than that allowed by the requirements; don’t give credits for early certificate renewals; |
Use of Deprecated or Incorrect Algorithms Bug #s 1648472, 1793441, 1664328, | Stay up-to-date with approved algorithms listed in requirements; conduct detailed certificate profile checks, and use automation where feasible; update system logic so that it selects the correct algorithm; implement pre-issuance linting; |
Wildcard Mis-issuance Bug #s 1446121, 1528263, 1782391, 1731939, | Block wildcards in EV certificates; ensure proper syntax and ASN.1 encoding per RFC 5280; implement pre-issuance linting; |
Incorrect Certificate Subject Details | |
Invalid Organization Information | Implement stringent validation; cross-check with authoritative databases |
Incorrect Address Fields | Automated address validation; regular audits |
Insufficient Domain Validation | |
Improper Domain Validation Methods | Enforce use of approved methods; regular training |
CAA-based Misissuances | Automated CAA record checks; establish error handling procedures |
Certificates for Unregistered Domains | Implement strict verification processes; automated cross-checks |
Insufficient Validation | Strengthen validation procedures; enforce strict policies |
Failure to Revoke and Revocation Delays | |
Delayed Revocations | Automated revocation systems; continuous monitoring |
Failure to Revoke Compromised Certificates | Establish immediate action policies; develop and test incident response plans |
Revocation within 7 Days | Implement monitoring tools; automated notifications |
Delayed Revocation of End Entity Certificates | Streamline processes; implement automated systems |
Disclosure Failures | |
Delayed, Incomplete, or Failed Disclosure of Intermediate CA Certificates in the CCADB | Use automated tools for timely disclosure; regular audits |
CRL and OCSP Failures | |
Unavailable CRLs | Implement redundant systems; regular monitoring |
OCSP Service Outages | Deploy high availability solutions; monitoring and alerts |
Incorrect OCSP Responses | Implement automated response validation; regular compliance checks |
Expired, incorrect, or non-compliant OCSP Responder Certificates | Use automated management tools; regular audits |
Expired or Invalid CRLs | Implement automated CRL management; regular audits |
Mismatch Between CA and CRL or OCSP | Implement consistency checks; automated synchronization |
Policy and Practice Failures | |
Invalid or Incomplete CP or CPS Updates | Schedule regular updates; involve stakeholders in review process |
Erroneous information in CP or CPS | Implement validation processes; conduct peer reviews |
Delayed Responses to Problem Reports | Establish clear response time policies; use automated ticketing systems |
Audit Issues, Delays, and Failures | |
Delayed Audit Statements | Implement strict audit scheduling; monitoring and alerts |
Audit Letter Validation Failures | Strengthen validation processes; regular reviews |
Missing Audit Information | Ensure comprehensive audits; use audit checklists |
Lack of Auditor Qualifications | Ensure auditors are qualified and certified; provide regular training |
Test Certificates | |
Expired Test Certificates | Implement test certificate management tools; regular audits |
Issuance of Test Certificates | Ensure compliance with standards; use automated systems |
Internal Security Issues | |
Firewall Log Issues | Implement robust log management systems; regular audits |
Improper Access Control | Establish strict access control policies; regular reviews |