|
digitalist posted:So I'm reading through the Globaltrust Certification Policy and, from what I understand it's just suppose to state "what" they do, and the Certification Policy Statement is where they demonstrate how they accomplish the what. I guess it makes it pretty dry reading, is there a matrix somewhere I could compare or check boxes to make sure they're at least covering the necessary bases? another public auditor has hit the thread
|
# ? May 5, 2024 04:35 |
|
|
# ? May 5, 2024 19:36 |
|
Got a lot to learn about this, CPS is actually Certification Practice Statement. RFC 3647 is the document I was looking for, quote:Abstract quote:* The responsibility of a PKI participant to publish information I guess it makes some sense some of those technical controls might not be available, it could be exploited. But it does feel like there's a massive gulf between "we make sure our stuff won't be damaged by water" and information that would enable exploitation. I suppose this is something an audit would look at? It would be nice if they said somewhere under what conditions it would be made available, even if it's only to professional auditing firms. Frequency of audits seems to be specified within the CPS, in globaltrust's case, quote:Audits through external assessors are conducted on principle once a year There were three audits conducted in 2023, https://service.globaltrust.eu/static/conformity-assessment-2023.pdf https://service.globaltrust.eu/static/conformity-assessment-seal-2023.pdf https://www.a-sit.at/wp-content/uploads/2023/05/VIG-23-044_audit-attestation_globaltrust-etsi-2023_final_signed.pdf So from my tiny research session, despite their CPS giving off first year university student writing an essay effort vibes, you could argue it's compliant. Except for the above, almost. By this time last year they had two audits completed, and in a month they will be past the one year mark from their most recent audit. But, the CPS says "annual" and I guess they could get away with an audit conducted in December of 2024, technically it would be annual. Interesting start, will keep poking around but enough for this evening. digitalist fucked around with this message at 06:07 on May 5, 2024 |
# ? May 5, 2024 04:58 |
|
YACPOS your audit compliance is a piece of poo poo
|
# ? May 5, 2024 06:09 |
|
Salt Fish posted:I always had some sense that PKI depending on trusted root CAs was ripe for Bad Things to happen but I didn't expect multiple CAs to have worse security than my grandma's wordpress. in retrospect i shouldn't have been surprised, but i was
|
# ? May 5, 2024 06:48 |
|
digitalist posted:So I'm reading through the Globaltrust Certification Policy and, from what I understand it's just suppose to state "what" they do, and the Certification Policy Statement is where they demonstrate how they accomplish the what. I guess it makes it pretty dry reading, is there a matrix somewhere I could compare or check boxes to make sure they're at least covering the necessary bases? digitalist posted:Fascinating read. Curious to actually get into the meat of the matter, so off I went to find the GLOBALTRUST Certificate Security Policy, shouldn't this be called the Certification Policy Statement? Anyway, then I stumbled on this, which is actually on the first page or so of the Certification Policy document, digitalist posted:Got a lot to learn about this, what you should think when reading these are "these are the self-imposed limitations on creating a certificate, how clear is each section?". honestly i didn't expect you to dig into it that deep or i'd given you a bit more info to start. i've already gave a bunch of questions and head-scratching on bugzilla trying to make sense of the document it's really the deep end of badly written CA docs for anyone who wants to follow along there are the: Baseline Requirements: https://cabforum.org/working-groups/server/baseline-requirements/documents/ - literally the skeleton of what you should be doing in your CP/CPS and your CP/CPS should have wording saying the BR supersedes them when they're wrong Incident Report: https://www.ccadb.org/cas/incident-report - how you should handle an incident report, note 72 hours from being made aware to filing so missing that is another problem Chrome Root Program Policy: https://g.co/chrome/root-policy - oh Chrome does say "an authoritative English language version"... Mozilla's Main CA Page: https://wiki.mozilla.org/CA - Bunch of random info in there Mozilla's Root Store Policy: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ - Most of the policy as... Mozilla Incident Report: https://wiki.mozilla.org/CA/Responding_To_An_Incident - There's the Mozilla incident report building on top of CCADB's minimum Microsoft Trusted Root Program: https://learn.microsoft.com/en-us/security/trusted-root/program-requirements - Basically useless Apple Root Certificate Program: https://www.apple.com/certificateauthority/ca_program.html - Pretty useless too but they do ask for any incident to go directly to them on top of bugzilla Bunch more resources: https://www.ccadb.org/resources Wiggly Wayne DDS fucked around with this message at 12:25 on May 5, 2024 |
# ? May 5, 2024 11:51 |
|
Wiggly Wayne DDS posted:Chrome Root Program Policy: https://g.co/chrome/root-policy Thanks for all this, tempted to put together a « so you want learn how to audit CAs guide » as I go along with all this. Will dig in but one thing I forgot to mention is that on globaltrust’s website I wasn’t able to find an English version of the audit docs, just German. But the CCADB link you posted did link to English versions of those documents. Seems like it’s something you would want on your website but maybe it being available through the CCADB is enough. It’s an interesting process, just pulling on a thread and seeing where it leads.
|
# ? May 5, 2024 13:22 |
|
MononcQc posted:Human health and safety are sometimes the responsibility of government agencies though. yes for sure, and those aspects of agency operation tend to be regulated and audited for business continuity capabilities one of the things they absolutely need to have continuity through is a vendor error, such as a CA accidentally revoking their cert, perhaps I can imagine that some don’t, and discover this when a CA comes to them and says “we misissued this certificate (which is essential to health and safety etc), and we need to revoke”. at that point, if they realize that they can’t rotate in the five day window (!), I would very much expect them to ask for an exception once and then remediate whatever gave them that problem as promptly as possible—with public reports on their completion, because that exception has impacts on WebPKI integrity I would also expect that anyone selling certs as infrastructure for safety-critical functions to make them aware of the possibility that certificates will need to be revoked, and impress upon them the importance of being able to replace them the idea of safety-critical stuff depending on WebPKI is itself pretty worrying, speaking as someone who has had to consider “societal effects” when making decisions about how it is administered. I sort of feel that WebPKI should be declared explicitly as not being suitable for safety-critical applications, since it can’t feasibly provide the levels of reliability and availability that would be (IMO; never audited for it) appropriate for such uses
|
# ? May 5, 2024 15:18 |
|
Subjunctive posted:the idea of safety-critical stuff depending on WebPKI is itself pretty worrying, speaking as someone who has had to consider “societal effects” when making decisions about how it is administered. I sort of feel that WebPKI should be declared explicitly as not being suitable for safety-critical applications, since it can’t feasibly provide the levels of reliability and availability that would be (IMO; never audited for it) appropriate for such uses The time delay is worrying especially for slow moving organizations like governments. I know from past jobs that a government ministry wanting to change certificate providers, for example, would take at least 6-12 months because of procurement/public offer regulations. Maybe there's an exception in there somewhere for emergencies, I would have trouble conceiving of that not existing, but yeah, something I feel compelled to check out now.
|
# ? May 5, 2024 15:45 |
|
another option is to work with multiple CAs, ideally for certs with out-of-phase lifetimes, so that if something fucks up with one CA you’re ready to go on your “hot spare”. you can also run replacement drills between the cert sets at low risk because if you miss one it’s still got something valid while you clean up that’s how all the tech majors run, because FB’s web certs getting blown away literally stops the business (as has happened a couple of times for short time periods)
|
# ? May 5, 2024 15:56 |
|
agreed with all of that. I used to think it was weird that US Dept of Defense made you install & trust their certs for various things but it kinda makes sense for both the reasons above and that they are so big they have all that infrastructure and also they must have the largest PKI userbase in the world. Really nice when done properly.
|
# ? May 5, 2024 16:07 |
|
Subjunctive posted:another option is to work with multiple CAs, ideally for certs with out-of-phase lifetimes, so that if something fucks up with one CA you’re ready to go on your “hot spare”. you can also run replacement drills between the cert sets at low risk because if you miss one it’s still got something valid while you clean up Cloudflare (boo hiss I know but they do some things well) does this as a service with their ACME CA: https://developers.cloudflare.com/ssl/edge-certificates/backup-certificates/ they'll normally use the CF cert they issue, but they keep a backup, issued from a pool of other free ACME CAs like LE and GTS
|
# ? May 5, 2024 16:11 |
|
also c'mon Cloudflare it's 2024 why do all your products still say "SSL" in them?
|
# ? May 5, 2024 16:11 |
|
Subjunctive posted:another option is to work with multiple CAs, ideally for certs with out-of-phase lifetimes, so that if something fucks up with one CA you’re ready to go on your “hot spare”. you can also run replacement drills between the cert sets at low risk because if you miss one it’s still got something valid while you clean up Yeah this is a good point, sadly I'm not sure our government has this contingency accounted for, but what do I know. I did some googling last night on governments and whether or not they ran their own CAs which would seem logical, whatever cost of operating one could be offset by not paying someone else to do it and it could offer more agility/independence or something along those lines. I saw a few countries do, Italy, Netherlands, Estonia, USA (as mentioned). edit: Estonia also issued every citizen a certificate for its interactions with the government which seemed interesting, I don't really know much more than that about it but yeah, seems natural if digitizing? Digitalisierung of governments is a goal digitalist fucked around with this message at 16:18 on May 5, 2024 |
# ? May 5, 2024 16:15 |
|
digitalist posted:Yeah this is a good point, sadly I'm not sure our government has this contingency accounted for, but what do I know. I did some googling last night on governments and whether or not they ran their own CAs which would seem logical, whatever cost of operating one could be offset by not paying someone else to do it and it could offer more agility/independence or something along those lines. I saw a few countries do, Italy, Netherlands, Estonia, USA (as mentioned). so i was looking into rfc 3647 as it's on the ballot for an enforced structure of cp/cps and some things jumped out to me https://datatracker.ietf.org/doc/html/rfc3647#section-3.1 quote:A CP is represented in a certificate by a unique number called an "Object Identifier" (OID). That OID, or at least an "arc", can be registered. An "arc" is the beginning of the numerical sequence of an OID and is assigned to a particular organization. The registration process follows the procedures specified in ISO/IEC and ITU standards. The party that registers the OID or arc also can publish the text of the CP, for examination by relying parties. Any one certificate will typically declare a single CP or, possibly, be issued consistent with a small number of different policies. Such declaration appears in the Certificate Policies extension of a X.509 Version 3 certificate. When a CA places multiple CPs within a certificate's Certificate Policies extension, the CA is asserting that the certificate is appropriate for use in accordance with any of the listed CPs. but what really stood out to me historically is how they classified CP/CPS at the time: https://datatracker.ietf.org/doc/html/rfc3647#section-3.5 quote:The CP and CPS address the same set of topics that are of interest to the relying party in terms of the degree to and purpose for which a public key certificate should be trusted. Their primary difference is in the focus of their provisions. A CP sets forth the requirements and standards imposed by the PKI with respect to the various topics. In other words, the purpose of the CP is to establish what participants must do. A CPS, by contrast, states how a CA and other participants in a given domain implement procedures and controls to meet the requirements stated in the CP. In other words, the purpose of the CPS is to disclose how the participants perform their functions and implement controls.
|
# ? May 5, 2024 16:35 |
|
An enforced CP/CPS structure seems self evident, there's nothing unique about the technical or physical controls necessary for a PKI to do its job adequately, having each come up with on their own and define it in a CP seems like inviting trouble. Have a list of pre defined certification policy elements with matching OIDs and then maybe you can just do away with "unique" CPs entirely in a sense, just have one master CP administered by the root CAs and CPS can refer just refer to specific CP OIDs and how they manage them. I just got here so I'm probably stating things that are plainly obvious and are already in motion if a more regulated CP/CPS is being tabled but it's hard to ignore how disorganized the current structure is. digitalist fucked around with this message at 16:55 on May 5, 2024 |
# ? May 5, 2024 16:53 |
|
no, I think there are different ways that a CA might implement the necessary controls, which are generally specified as policy and not mechanism of enforcement similarly to PCI or SOC2 in that sense
|
# ? May 5, 2024 16:54 |
|
Subjunctive posted:no, I think there are different ways that a CA might implement the necessary controls, which are generally specified as policy and not mechanism of enforcement Yeah I can see that, my ideas are edit: But yeah, let me just double down on how poorly thought out this is. Clearly I'm wandering into something I don't understand well and the previous ideas are clumsy attempts at simplifying the complexity I've encountered. digitalist fucked around with this message at 17:02 on May 5, 2024 |
# ? May 5, 2024 16:57 |
|
digitalist posted:An enforced CP/CPS structure seems self evident, there's nothing unique about the technical or physical controls necessary for a PKI to do its job adequately, having each come up with on their own and define it in a CP seems like inviting trouble. Have a list of pre defined certification policy elements with matching OIDs and then maybe you can just do away with "unique" CPs entirely in a sense, just have one master CP administered by the root CAs and CPS can refer just refer to specific CP OIDs and how they manage them. quote:Effective 2024-09-15, the Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with section 6 of RFC 3647 and MUST: e: i mean hell this is still in br 2.0.3: quote:16 Note: Although RFC 5280 specifies the upper bound as 32,768 characters, this was a transcription error from X.520 (08/2005). The effective (interoperable) upper bound is 64 characters
|
# ? May 5, 2024 17:05 |
|
lol just a few orders of magnitude on that erratum
|
# ? May 5, 2024 17:12 |
|
Wiggly Wayne DDS posted:i'm still amused at them tying themselves down to specification x.520 and not clarifying which version when that body could update the document tomorrow and make every CA non-compliant. they've built a house of cards relying on superseding authorities they have no control over Wiggly Wayne DDS posted:e: i mean hell this is still in br 2.0.3:
|
# ? May 5, 2024 17:16 |
|
yeah, I thought Kathleen had regulatory experience, but it doesn't look like it on review (just time at VeriSign) hmm!
|
# ? May 5, 2024 17:23 |
|
tbc they're saying that's the dated document of when the error occurred, not the version they're relying on
|
# ? May 5, 2024 17:32 |
|
Wiggly Wayne DDS posted:i really feel that no one involved in the cabforum has done any regulatory work at all and they're just trying to poorly emulate how they think it all works in other fields. damnit wayne, now the CT logs are going to be filled with screenshots as proof of issuance for pre-certs. LOOK WHAT YOU'VE WILLED INTO EXISTENCE
|
# ? May 5, 2024 17:35 |
|
Wayne, how do you keep your notes organized?
|
# ? May 5, 2024 18:33 |
|
digitalist posted:Wayne, how do you keep your notes organized? otherwise, i have a memory
|
# ? May 5, 2024 19:00 |
|
Wiggly Wayne DDS posted:otherwise, i have a memory must be nice
|
# ? May 5, 2024 19:18 |
|
|
# ? May 5, 2024 19:36 |
|
Wiggly Wayne DDS posted:otherwise, i have a memory hosed up if true
|
# ? May 5, 2024 19:22 |