Internal Revocation Playbook and Policy for SSL Abuse Queue

October 23, 2019

Compliance shared doc link: Certificate Problem Report response playbook.docx

Version 2, 21-Oct-2019 version is below. The shared doc will have the latest version.

Playbook for reported mis-issued certs in SSL Abuse

Initial (immediate) response to the reporter (but not to any other CC'd addresses) acknowledging receipt of the report. "Thank you for report. We will look into and give an initial response within 24 hours"

Initial analysis of the report and the necessary actions.

Triage: Is this:
a) a valid report of misissuance that requires an immediate escalation response;
b) a revocation request or other problem report that we must handle within 24 hours or within 5 days;
c) not a valid or correct problem report?

Please note that in every case, even where the problem report is spurious or malicious, we are obliged to provide a preliminary report (i.e. something beyond the initial “thanks”) to both the problem reporter AND the certificate subscriber.

[From the BRs:

Within 24 hours after receiving a Certificate Problem Report, the CA SHALL investigate the facts and circumstances related to a Certificate Problem Report and provide a preliminary report on its findings to both the Subscriber and the entity who filed the Certificate Problem Report.

]

Does it fall within one of the following reasons which require us to complete action within 24 hours?

The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs:

1. The Subscriber requests in writing that the CA revoke the Certificate;

We know how to do this. Reply to the problem reporter instructing them how to revoke their certificate, include a link to https://secure.sectigo.com/products/RevocationPortal

We MUST respond quickly so that the certificate may be revoked within 24 hours.

2. The Subscriber notifies the CA that the original certificate request was not authorized and does not retroactively grant authorization;

Exactly the same response as #1. The subscriber's remedy is to revoke.

We MUST respond quickly so that the certificate may be revoked within 24 hours.

We know how to do this. Reply to the problem reporter instructing them how to revoke their certificate, include a link to https://secure.sectigo.com/products/RevocationPortal

3. The CA obtains evidence that the Subscriber's Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise;

Exactly the same response as #1 The subscriber's remedy is to revoke.

We MUST respond quickly so that the certificate may be revoked within 24 hours.

We know how to do this. Reply to the the problem reporter instructing them how to revoke their certificate, include a link to https://secure.sectigo.com/products/RevocationPortal

4. The CA obtains evidence that the validation of domain authorization or control for any Fully-Qualified Domain Name or IP address in the Certificate should not be relied upon.

The reports of this kind that are most likely to be valid are those that come from a 3rd party who now controls the FQDN or IP address.

The reporter's remedy is to revoke.

We MUST respond quickly so that the certificate may be revoked within 24 hours.

We know how to do this. Reply to the the problem reporter instructing them how to revoke their certificate, include a link to https://secure.sectigo.com/products/RevocationPortal

OTHERWISE

Respond as quickly as possible, but there is a hard 5 day limit if revocation is warranted because of these other reasons:

1. The Certificate no longer complies with the requirements of Sections 6.1.5 and 6.1.6 (Illegal Key sizes or Public Key Parameters Generation and Quality Checking)

2. The CA obtains evidence that the Certificate was misused;

3. The CA is made aware that a Subscriber has violated one or more of its material obligations under the Subscriber Agreement or Terms of Use;

4. The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant's right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name);

5. The CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified Domain Name;

6. The CA is made aware of a material change in the information contained in the Certificate;

7. The CA is made aware that the Certificate was not issued in accordance with these (BR or EVGL) Requirements or the CA's Certificate Policy or Certification Practice Statement;

8. The CA determines or is made aware that any of the information appearing in the Certificate is inaccurate;

9. The CA's right to issue Certificates under these Requirements expires or is revoked or terminated, unless the CA has made arrangements to continue maintaining the CRL/OCSP Repository;

10. Revocation is required by the CA's Certificate Policy and/or Certification Practice Statement; or

11. The CA is made aware of a demonstrated or proven method that exposes the Subscriber's Private Key to compromise, methods have been developed that can easily calculate it based on the Public Key (such as a Debian weak key, see http://wiki.debian.org/SSLkeys), or if there is clear evidence that the specific method used to generate the Private Key was flawed.

If the reason falls under this category

7. The CA is made aware that the Certificate was not issued in accordance with these (BR or EVGL) Requirements or the CA's Certificate Policy or Certification Practice Statement;

i.e. misissuance

We must create a bugzilla bug with the brief summary details of the report and the results of the initial analysis.

EITHER IMMEDIATELY escalate this to compliance (at time of writing Robin Alden or Rich Smith),

OR

(WITHIN 24 hours)

create a bugzilla bug with the brief summary details of the report and the results of the initial analysis

(e.g. the report appears to be valid and we will revoke within 24 hours unless we become aware of other matters that would prevent that)

(go to bugzilla.mozilla.org, 'New Bug', NSS, component 'CA Certificate Compliance')

and share a link to the bugzilla bug with the problem reporter.