Mozilla alleges PROCERT is not “adequately aware of the requirements placed upon them.”
Mozilla has reached a decision to distrust PROCERT and to remove the CA from its root program for a range of issues centering around the mis-issuance of 29 SSL certificates. The decision was laid out in a blog post on Mozilla’s dev.security.policy forum earlier today.
In the post, Gervase Markham writes:
Considering [a large number of issues were raised regarding the operations and practices of this CA], it seems clear to us that PROCERT have not been, and continue not to be, adequately aware of the requirements placed upon them by various RFCs, the CA/Browser Forum’s Baseline Requirements, and Mozilla Root Store Policy. They have not demonstrated sufficient control of their issuance pipeline or sufficient checking of the results to avoid regularly creating certificates which violate the requirements of one or more of those documents. PROCERT have also made assurances to us, via responses to CA Communications, that certain things were true which are manifestly not so (e.g. that they were using properly-randomized serial numbers).
Also of concern was PROCERT’s response to the issues raised about its operations and practices, which Mozilla deemed inadequate.
Here’s How PROCERT Got Here
PROCERT is a tiny Venezuelan CA that is government-affiliated and has issued only a few hundred public certificates. We wrote an article last month giving the full details of the seven issues raised by Mozilla on August 16th, but I’ll give you the abridged version here.
So, how did such a small CA get into so much trouble? By practically making their ineptitude look like some bizarre form of performance art. In total PROCERT has mis-issued 29 SSL certificates, it has issued for .local domains, issued for URLs instead of domains, issued for reserved IP numbers, not included common names as SANs in certificates they’ve issued, issued with non-random serial numbers, given “good” OCSP responses for non-existent certificates and issued with a 1024-bit key. Comically, the 1024-bit key was accidentally discovered as PROCERT shared it while it ineptly trying to defend itself against another allegation.
And PROCERT only dug itself further when, upon subsequent defenses of itself, it argued that “http://” was allowable (industry standards say it’s not) and then asked if anyone knew the OpenSSL command line to test its OCSP responders.
Now, I understand that was a dense couple of paragraphs. You might not know what all of that means. That’s OK. What’s not OK was for PROCERT, a trusted CA, not to know. But its lack of knowledge of industry standards, coupled with its response – mistakenly thinking that simple revocation was enough – are what ultimately doomed PROCERT.
PROCERT’s response to these issues was inadequate. While they revoked (most, but not all, of) the certificates which were flagged as problematic, their written responses have been limited in number and are very superficial. In some cases, it is clear that they have not understood the issue that was raised. They have not, to our knowledge, performed any root cause analysis which might allow us to have some confidence that problems of this or a similar nature will not recur. We have very little insight into their systems and what, if any, safeguards they have in place.
So, that’s it for PROCERT. Its SSL certificates will no longer be trusted as its root has now been removed from Mozilla’s program. While the CA is currently still trusted by Apple and Microsoft, both companies tend to fall in line with the decisions made by Mozilla (as well as Google, which already didn’t trust PROCERT).
Frankly, this decision isn’t going to affect many people. Its impact will mostly be limited to Venezuela, and only to a handful of public websites. It’s mostly a problem for the Venezuelan government.
What we Hashed Out (For Skimmers)
Here’s what we covered in today’s discussion:
- Venezuelan CA PROCERT has been distrusted by Mozilla and removed from its root program.
- A number of issues were raised about the CA’s competence and understanding of industry standards.
- PROCERT’s response to these allegations was underwhelming and ultimately led to the decision to distrust the CA.