A few months ago, I posted about a French CA that appeared to be cheating.
For those who do not want to read the previous post, short story is: go to some bank web site. Enter a fake name. Receive an e-signed document with your fake name, included in a certificate that is approved by Adobe. So the document looks legit. I still invite you to read the previous post, since I will not go through the details in this one, but detail some other aspects.
Following a comment I received, I decided to try the same with an other French CA.
I found a website that was “powered” by CertEurope, this time. And I did the same. Filled random forms in French with random junk. And … ? And … ? And … ? Yes, you guessed it : same outcome. I obtained legit looking PDF signed by junk, Obama, Jobs, Adobe…
One French CA cheating is weird. Two French CA cheating tells me I screwed up with my analysis and that they are, in fact, NOT cheating. Or are they?
Let us take a look at the signature in more details.
Contrary to the previous case, the bogus certificate does not chain up to Adobe root. It means this is the newer AATL scheme, not the old CDS scheme. The certificate issued issued from one intermediary CA from CertEurope, a small French CA.
The details pane show us the following:
The email and the CN are whatever I typed in the forms, and there is one unknown attribute. Other fields show us the certificate is valid for 1 day, and in yet another one, we find the OID of the policy: 126.96.36.199.188.8.131.52.0
It is very similar to my last experience with Keynectis. Short-lived certificate, no identity checks, I did not have access to the private key, I did not got to choose with document to sign, but I did have the green bar in Adobe Reader.
Back to the OID. Experienced from last time, I speedily open the list of audited CA from the French site LTSI. And I find …
All close, none just right. Again, we have an unaudited CA that does not perform any identity checks before issuing a certificate, but that is approved by Adobe.
So, is it a big deal? Well, yeah, it is starting to be.
Of course, as with Keynectis, the signature is obviously a fake, and I could not reuse the private key since I never got it. However, French people need to be educated on the meaning of COMPLIANCE.
Not compliance as in “Yeah, sure, we do stuff all right, my mate. Have an other glass of wine”, but as in: “Here are the rules. Follow them. Period”.
So, the rules…
This time, I went and found the AATL Adobe requirement on the web. And it says:
4. Non-governmental Members must have successfully passed, within the past 18 months, and continue to pass on an annual basis, any or all of the following:
4.1 WebTrust for CA audit;
4.2 ETSI 101 456 audit;
4.3 ETSI 102 042 audit;
4.4 ISO 21188:2006; and/or
4.5 German Digital Signature law audit
Anyone? Didn’t you mates forgot something? … The audit?
7.2 The Member must demonstrate the use of strong identification and authorization procedures and be willing to provide documentation to Adobe on the processes. In particular, the Member must warrant that all information and representations made by the Subscriber and ICAs that chain up to the Certificate are true;
Ooooooops. My bad. Forgot to warrant the identity. Have an other glass of wine.
From this information, I decided to revise the hypothesis of my previous post regarding Adobe compliance team:
- Adobe compliance auditors do not even look at the applications
- Adobe compliance auditors have been given to much wine to drink
- Keynectis AND CertEurope both cheated on Adobe
And for point #3, a possible explanation came to my mind:
- Set up a compliant CA and have it approved by Adobe
- Cross-certify it with a non-compliant CA and hope no-one will see
- Profit !!!
Again, the thing I’m not sure of is whether the French auditor list includes all CA. If they were really audited, I would not want to be their auditor today.
I found 4 (or 5?) French CA in the AATL list of members. Therefore, at least between 40% and 50% of the French CA are cheating Adobe, by not being compliant with the rules of the program (I’ll check the others when I have time). The harm done to the rest of the industry is starting to be unbearable. The “Green bar” in Adobe will soon be an Internet joke.