česky | english
Prelude
This is a risk assessment based on AS/NZS 4360:2004. This is work in progress and not endorsed by CAcert board.
Contents
Context
This risk assessment applies to the CAcert operation as a certificate authority. A lot of the governance obligations of the operation as a certificate authority tie to the operation of CAcertIncorporated Association and these aspects are incorporated into this risk assessment.
Risks that are to be managed are ones that affect the viability of the CAcerts certificate authority function.
Q(iang): organistion is what? There is the CAcert Inc Association, the certificate authority, the Assurer network, sundry others and finally, the Community. If organisation as a whole, perhaps the Community, but also the CA ... (dan) scoped to CA and to some extend addressed the governance/ community dependencies
External Context
CAcert is a community organisation that is in the business of validating identities and provides a certificate/X509 service based on this. It operates globally. Like all certification authorities (CAs) risk are ones of proper process and technology that support a high validation of identities to the owners of certificates. Reputation is highly important to CAcert.
CAcerts certificate authority obligations are dependant on the community of assurers and the Community Agreement sets a standard of mutual obligation that CAcert is determined to uphold. Unlike most CAs the split between assurance and certificate issuance creates a large obligation to serve the assurance community.
Key business goals are to gain InclusionStatus into major browsers. The Mozilla organisation has required the completion of an Audit Project to forfill its inclusion status and as such this is the major goal.
The Audit project is funded by NLnet and is under obligation to deliver outcomes at specified dates.
Internal Context
The board and management subcommittee (M-SC) are volunteers committed to these goals of the organisation. Their time however is limited. CAcert is an incorporated organisation in NSW Australia that is managed by the board. The board has deligated CEO like duties to the M-SC.
CAcert's assets include ownership of servers that provide various online functions necessary for the performance of a CA. Audit and documentation services have been contracted out as have hosting, firewall management.
CAcert's financial assets are largely funded activities dependent on delivering outcomes.
Internal goals are to enhance the system administration to a supportable level.
Risk Measurement
Risks rated above Medium will be managed. Medium risks will be managed if time/cost permits. The below consequence/likelyhood factors determine risk.
Consequence Ratings
These describe the harms that occur if the threat is realized.
Consequence Category
Meaning
Catastrophic
Will impact the long term viability of the organisation
Major
Will result in CAcert's root certificate being revoked out of major browsers
Loss of confidentially of CAcert root private keys
Will result in wide scale revocation or reissuing of certificates
Serious damage of the reputation of CAcert's management /staff / critical systems
Inability to issue certificates for more that two weeks
Wide scale significant inconvenience to users of CAcert certificates e.g. no reading validation of CAcert signed email/ no accessability to CAcert server sites due to CRL/OCSP failure
Moderate
Inability to issue certificates for a period less than two weeks
Denial of service of CRL or OCSP services greater than 5 minutes
Significant PR required to address failures
Delays to the progress of the Audit / Systems Manual
Unplanned costs greater that 1000 EU
Minor
Press associated with the compromise of non-critical systems
Actions that require legal representation
Breach of confidential communications
Unplanned costs greater that 400 EU
Insignificant
Unavailability of non-critical systems for less that one day
Need to revoke individual identity registration
(really these should be determined and signed off by management)
Q(iang): there is an interesting comment in the choice of catastrophic and major risks, which places the survival of the organisation above the CA and reliance by (explicit and implicit) parties. I do not disagree, but it is certainly a debate to be had. The choice above to some extent reflects the "wider mission" of security rather than the "narrow mission" of "free certs". (dan): To my understanding to meet the "wider mission of security" a governance structure is required to obtain the necessary credability that is pretty mandated in the security community.
Q(iang): the recent debate over DoB was based on the threat of identity theft. recent USA-credit-market developments indicate that a large scale identity theft has rocketed from a minor risk (if covered up) to a major risk (as regulators get involved, fines are likely, wholescale revision of security is indicated, etc). (dan) this almost leads to a risk assessment based on PR and legal risk (which is almost is anyway). I'm not sure that is such a bad thing either.
Likelihood Ratings
Almost Certain
every day
Likely
Once every 3 months
Possible
Once a year
Unlikely
Once in 5 years
Rare
Less than once in 5 years
Risk Matrix
Risks are:
- E - Extreme
- H - High
- M - Medium
- L - Low
Consequence
Insignificant
Minor
Moderate
Major
Catastrophic
Almost Certian
H
H
E
E
E
Likely
M
H
H
E
E
Possible
L
M
H
E
E
Unlikely
L
L
M
H
E
Rare
L
L
L
M
H
Assets
Assets here are annotated with the consequence rating should the asset no longer be available.
Intangible Assets
- Meeting obligations of an included CA in Mozilla (Major)
- Incorporation Status (Moderate)
- Reputation (Major)
- Community Support e.g. Assurers willingness to assure people (Moderate)
Systems
Different assets are critical for different reasons. The below indicates which security aspect of the asset has consequences.
Critical Systems
Asset
Confidentiality
Integrity
Availability short term
Availability long term
Root key (RK)1
Major
Moderate
Moderate (<1 week)
Major (>1 weeks)
signing mechanism (SM) including main website
Insignificant
Major
Moderate (<2 week)
Major (>2 weeks)
Insignificant
Major
Moderate (<5 minutes) or 99.9999%
Major (>5 minutes) or < 99.999%
DNS 4
None
Major
Moderate (<5 minutes) or 99.9999%
Major (>5 minutes) or < 99.999%
User database (UDB)
Major
Major
Minor (<24 hours)
Moderate 5 (>24 hours)
Main website including email/domain ping testing
Minor6
Insignificant
Minor (<24 hours)
Moderate5 (>24 hours)
Non-critical systems
Asset
Confidentiality
Integrity
Availability short Term
Availability long term
List server (board/arbitration lists)
Moderate
Moderate
Minor <1week
Moderate >1week
email server
Moderate
Moderate
Minor <1week
Moderate7 >1week
Wiki
Minor (for acl pages)
Minor (for acl pages)
Minor <1week
Moderate >1week
Blog
Insignificant
Moderate
Insignificant <2 weeks
Minor >2 weeks
IRC
Insignificant
Insignificant
Insignificant <2 weeks
Minor >2 weeks
SVN
Insignificant
Minor
Insignificant <2 weeks
Minor >2 weeks
audit
CATS
Minor
Moderate
Insignificant <2 weeks
Minor >2 weeks
test
Insignificant
Moderate8
Insignificant <2 weeks
Minor >2 weeks
audit
TODO find/determine the purpose of audit
Other Assets
- Financial Assets (Moderate)
- Domains (cacert.org + others(cacert.at - as significant?)) (Major)
Threats
Once inclusion into Mozilla browsers the threat profile is raised significantly. As the ability to respond to this threat is timely, this risk assessment assumes inclusion status has been obtained.
- Commercial CAs
- CAcert's zero cost model significantly undermines the viability of other CAs business.
- Crackers
- These are largely assumed to be financed by the commercial CAs
- Criminal Fraud Organisations
- Issuing certificates of financial institutions will be highly profitable in phishing attacks
- Government
Some governments view wide scale encryption as a management threat need to map threat to legal/intelligence service objectives/priorities to address this
- Law
- Being summonsed to court to defend a certificate issue
- Confiscation of system assets on charges like piracy, copyright infringement
- Disgruntled staff / members
Q(iang): the above seem to be the actors, whereas the threats might be: hacking, legal (filed case, legal seizure, privacy investigation, investigation by other regulator, etc); outside theft, loss, destruction, backups unreadable; leakage of data, sharing of data, misuse of resources, ... hmm seems like another matrix. Actor / act / summary effect ? A(dan) I'm tempted to address these in the RA table below.
Risk Assessment
Systems
Risk IDs are a concatination of the system, the security risk (Confidentiality/ Integrity / Availability) plus a unique identifier.
id
Asset
Threat
Likelihood
Consequence
Resultant Risk
Treatment
Likelihood (after treatment)
Consequence (after treatment)
Risk (after treatment
RK.C.1
Confidentiality of Root key
Criminal Fraud Organisations
Unlikely
Major
High
Physical Access control + tamper zeroisation
Rare
Major
Medium
RK.C.2
Confidentiality of Root key backup
Criminal Fraud Organisations
Unlikely
Major
High
Bank Vault
Rare
Major
Medium
RK.I
Root Key integrity
Rival CA/cracker
Moderate
Unlikely
Low
not required
RK.A
Root key availability (long term)
Risk RK.C.1 or Legal supenona
unlikely
Major
High
accessable backup/restore procedures + multi country operation
Rare
Major
Medium
SM.I
Signing mechanism tampered
Rival CA/cracker
Unlikely
Major
High
Audit Procedures to detect false signature issue
Rare
Major
Medium
SM.A
Signing mechanism availability long term
Rival CA/cracker
Unlikely
Major
High
per RK.A
Rare
Major
Medium
OCSP.I
OCSP/CRL points compromised resulting in - DoS against legitimate users (invalid status for valid cert)/ (valid status for invalid certificate)
Criminal Fraud organisation / Cracker / Rival CA
Unlikely
Major
High
trusted services
OCSP.A
DDoS of CRL/OCSP
Extortion from Criminal Fraud Organisation/ Cracker/Rival CA
Unlikely
Major
High
Service redundacy (possible?)
Rare
Major
Medium
DNS.I
False DNS entries for main website/ crl/OCSP
Cracker/Rival CA/Criminal Fraud
Unlikely
Major
High
Change Control + Integrity monitoring services with action to fix/shutdown. Low TTL policy(?). DNSSEC
Unlikely
Moderate
Medium
DNS.A
DNS unavailable due to DDoS
As per OCSP.A
Rare
Major
Medium
Addition services if DNS.I treatments can occur
Rare
Moderate
Medium
UDB.C
User database compromised
Crackers/Rival CA, Criminal Fraudsters
Possible
Major
Extreme
Triggers for unexpected queries to shutdown DB + CodeAudit on main interface + IDS on SM
Unlikely
Moderate
Low
UDB.I
User database corrupted
Criminal Fraudsters through assurer extortion to obtain lucretive certificates
Possible
Moderate
Medium
Spot checking on domains/assurances
Possible
Minor
Low
Mozilla Criteria
These are based of the Mozilla CA Certificate Policy (1.2). The numbers reflect the requirement in http://www.mozilla.org/projects/security/certs/policy/.
id
Asset
Threat
Likelihood
Consequence
Resultant Risk
Treatment
Likelihood (after treatment)
Consequence (after treatment)
Risk (after treatment
MOZ.4.U
Issuing certificates without the knowledge of the entities whose information is referenced in the certificates
Internal errors/malicious insiders
MOZ.4.F
knowingly issue certificates that appear to be intended for fraudulent use.
Internal errors/malicious insiders
MOZ.4.T.1
ASN.1 DER encoding errors, invalid public keys, duplicate issuer names and serial numbers, incorrect extensions
Internal errors/malicious insiders
MOZ.4.T.2
cRLDistributionPoints or OCSP authorityInfoAccess extensions for which no operational CRL or OCSP service exists.
Internal errors/malicious insiders
MOZ.6.I
provide some service relevant to typical users of our software products
Internal errors/malicious insiders
MOZ.6.F
publicly disclose information about their policies and business practices
Internal errors/malicious insiders
MOZ.6.V
prior to issuing certificates, verify certificate signing requests in a manner acceptable to Mozilla Foundation
Internal errors/malicious insiders
MOZ.6.G
provide attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA's internal operations
Poor governance
MOZ.7.CV
for a certificate to be used for digitally signing and/or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf
Internal errors/malicious insiders
MOZ.7.SV
for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf;
Internal errors/malicious insiders
MOZ.7.CS
for certificates to be used for digitally signing code objects, the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate or has been authorized by the entity referenced in the certificate to act on that entity's behalf;
Internal errors/malicious insiders
MOZ.7.EV
Complies with Guidelines for the Issuance and Management of Extended Validation Certificates and erratum
Internal errors/malicious insiders
Legal
id
Asset
Threat
Likelihood
Consequence
Resultant Risk
Treatment
Likelihood (after treatment)
Consequence (after treatment)
Risk (after treatment
References
Footnotes
The root key must be available at least once per week, otherwise CRL's and OCSP are unavailable. (1)
Mozilla Policy specifies availability of these services http://www.mozilla.org/projects/security/certs/policy/ (2)
If it doesn't work, then Thunderbird and Firefox stops working for all servers with CAcert certificates. (3)
consequence directly tied to the ability to support OCSP/CRL (4)
Loss of site ssl key - assumes no access to User database listed above (7)
based on typical email retry times. applicable to support/management/arbitration email services (8)
as test systems are migrated into production this is a potential code compromise point (9)