CA/Lessons Learned
From MozillaWiki
< CA
Revision as of 22:05, 26 June 2024 by Bwilson (talk | contribs) (Initial table for "Lessons Learned" wiki page.)
|
THIS PAGE IS A WORKING DRAFT | 
|
| The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly. If you have any questions or ideas, please add them as a new topic on the discussion page. |
| Incorrect Certificate Profiles and Misconfigured Certificates | |
|---|---|
| Compliance Issue or Root Cause | Mitigation Strategies |
| General Issues of Non-Compliance | Regular audits and reviews; training programs; automated compliance tools |
| Certificate Profile Errors | Use standardized templates; automated profile validation |
| Duplicate Serial Numbers | Unique serial number generation; database checks |
| Invalid Serial Number Entropy | Entropy checks; follow cryptographic best practices |
| Improper Key Usage | Automated key usage validation; enforce strict policies |
| Invalid CN/SAN Entries | Syntax validation; automated checks for CN and SAN matching |
| Invalid Certificate Extensions/Non-Standard Extensions | Validate against allowed extensions; ensure standard compliance |
| Invalid OrganizationIdentifier | Strengthen validation processes; automated checks |
| Overly Long Certificate Lifetimes/Validity Periods | Enforce maximum validity periods; regular reviews |
| Use of Deprecated Algorithms | Stay updated with approved algorithms; automated policy checks |
| Wildcard Mis-issuance | Follow strict encoding rules; automated validation |
| Incorrect Certificate Subject Details | |
| Invalid Organization Information | Implement stringent validation; cross-check with authoritative databases |
| Incorrect Address Fields | Automated address validation; regular audits |
| Insufficient Domain Validation | |
| Improper Domain Validation Methods | Enforce use of approved methods; regular training |
| CAA-based Misissuances | Automated CAA record checks; establish error handling procedures |
| Certificates for Unregistered Domains | Implement strict verification processes; automated cross-checks |
| Insufficient Validation | Strengthen validation procedures; enforce strict policies |
| Failure to Revoke and Revocation Delays | |
| Delayed Revocations | Automated revocation systems; continuous monitoring |
| Failure to Revoke Compromised Certificates | Establish immediate action policies; develop and test incident response plans |
| Revocation within 7 Days | Implement monitoring tools; automated notifications |
| Delayed Revocation of End Entity Certificates | Streamline processes; implement automated systems |
| Disclosure Failures | |
| Delayed, Incomplete, or Failed Disclosure of Intermediate CA Certificates in the CCADB | Use automated tools for timely disclosure; regular audits |
| CRL and OCSP Failures | |
| Unavailable CRLs | Implement redundant systems; regular monitoring |
| OCSP Service Outages | Deploy high availability solutions; monitoring and alerts |
| Incorrect OCSP Responses | Implement automated response validation; regular compliance checks |
| Expired, incorrect, or non-compliant OCSP Responder Certificates | Use automated management tools; regular audits |
| Expired or Invalid CRLs | Implement automated CRL management; regular audits |
| Mismatch Between CA and CRL or OCSP | Implement consistency checks; automated synchronization |
| Policy and Practice Failures | |
| Invalid or Incomplete CP or CPS Updates | Schedule regular updates; involve stakeholders in review process |
| Erroneous information in CP or CPS | Implement validation processes; conduct peer reviews |
| Delayed Responses to Problem Reports | Establish clear response time policies; use automated ticketing systems |
| Audit Issues, Delays, and Failures | |
| Delayed Audit Statements | Implement strict audit scheduling; monitoring and alerts |
| Audit Letter Validation Failures | Strengthen validation processes; regular reviews |
| Missing Audit Information | Ensure comprehensive audits; use audit checklists |
| Lack of Auditor Qualifications | Ensure auditors are qualified and certified; provide regular training |
| Test Certificates | |
| Expired Test Certificates | Implement test certificate management tools; regular audits |
| Issuance of Test Certificates | Ensure compliance with standards; use automated systems |
| Internal Security Issues | |
| Firewall Log Issues | Implement robust log management systems; regular audits |
| Improper Access Control | Establish strict access control policies; regular reviews |
