631650 – app-misc/ca-certificates: PSPProcert root store trust

Bug 631650 - app-misc/ca-certificates: PSPProcert root store trust

Summary: app-misc/ca-certificates: PSPProcert root store trust

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security Audit Team

URL:	https://wiki.mozilla.org/CA:PROCERT_I...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-21 16:34 UTC by Kristian Fiskerstrand (RETIRED)
Modified:	2021-10-01 12:55 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-09-21 16:34:01 UTC

The Mozilla Root Store has published the following decision in the case of PROCERT, included in app-misc/ca-certificates as PSCProcert.pem

It seems like it will be a straight removal upstream, so we need to keep track of its removal either in new version or through direct measures.
##

The CA Certificates module owner and peers have come to a decision
regarding our investigations into the activities of the CA "PROCERT".

A large number of issues were raised regarding the operations and
practices of this CA:
https://wiki.mozilla.org/CA:PROCERT_Issues

Considering them, it seems clear to us that PROCERT have not been, and
continue not to be, adequately aware of the requirements placed upon
them by various RFCs, the CA/Browser Forum's Baseline Requirements, and
Mozilla Root Store Policy. They have not demonstrated sufficient control
of their issuance pipeline or sufficient checking of the results to
avoid regularly creating certificates which violate the requirements of
one or more of those documents. PROCERT have also made assurances to us,
via responses to CA Communications, that certain things were true which
are manifestly not so (e.g. that they were using properly-randomized
serial numbers).

In addition, PROCERT's response to these issues was inadequate. While
they revoked (most, but not all, of) the certificates which were flagged
as problematic, their written responses have been limited in number and
are very superficial. In some cases, it is clear that they have not
understood the issue that was raised. They have not, to our knowledge,
performed any root cause analysis which might allow us to have some
confidence that problems of this or a similar nature will not recur. We
have very little insight into their systems and what, if any, safeguards
they have in place.

It seems that PROCERT's belief is that revocation is an adequate remedy
for all of the problems listed. We disagree. Therefore, we feel we can
no longer trust PROCERT, and plan to proceed with removing their
"PSPProcert" certificate from our root program and root store.

Kathleen Wilson
Gervase Markham
Ryan Sleevi

Comment 1 Hanno Böck gentoo-dev

2021-10-01 12:55:02 UTC

This is obsolete, as it has been resolved by updating ca-certificates in the meantime.