Closed Bug 1572992 Opened 5 years ago Closed 5 years ago

NetLock: Failure to provide regular and timely incident updates

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wthayer, Assigned: varga.viktor)

Details

(Whiteboard: [ca-compliance] [policy-failure])

Netlock has repeatedly failed to respond and provide updated in bug 1462423. This violates Mozilla's requirements: https://wiki.mozilla.org/CA/Responding_To_An_Incident#Keeping_Us_Informed

Netlock: please provide an incident report using the Mozilla template (https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report) that explains why regular and timely updates have not been received and what Netlock is doing to prevent this in the future.

Flags: needinfo?(varga.viktor)

Incident report

  1. How your CA first became aware of the problem

Via the email of Mr. Wayne Thayer to the primary and secondary POCs on 10/08/2019.

  1. A timeline of the actions your CA took in response.

  2. The POCs received the email Wayne Thayer on 10/08/2019

  3. Bug #1462423 has been updated by Viktor Varga on 12/08/2019

  4. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.

No problematic certificate had been issued regarding this problem, this is not a certificate issuance case.

  1. A summary of the problematic certificates.

None.

  1. The complete certificate data for the problematic certificates.

No certificates were involved in this case.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

The first missing answer was caused by our mail filter.
As it was explained in the bug thread #1462423 in Comment #16 the bugzilla mail address was whitelisted.

The cause of second missing answer was the misunderstanding of the thread comments. The follow up request was not clear for me.
After the mail of Mr. Wayne Thayer, the thread #1462423 was updated asap.

  1. List of steps your CA is taking to resolve the situation

For the first case as it was explained in the bug thread #1462423 in Comment #16 the bugzilla mail address was whitelisted.

For the second case, we changed the handling of these communications. The new rule:
If a ticket updated and the comment is not 100% clear in its meaning for us, we will ask for clarification.

Flags: needinfo?(varga.viktor)

Because some of the numbering of the timeline garbled in my response a little bit, and I didn't found options to edit my comment, I send this part again:

A timeline of the actions your CA took in response:

  1. The POCs received the email Wayne Thayer on 10/08/2019
  2. Bug #1462423 has been updated by Viktor Varga on 12/08/2019

(In reply to Wayne Thayer [:wayne] from comment #0)

Netlock has repeatedly failed to respond and provide updated in bug 1462423. This violates Mozilla's requirements: https://wiki.mozilla.org/CA/Responding_To_An_Incident#Keeping_Us_Informed

Netlock: please provide an incident report using the Mozilla template (https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report) that explains why regular and timely updates have not been received and what Netlock is doing to prevent this in the future.

Dear Wayne,

First, let me introduce myself, I am Szabolcs Oravecz, Deputy Head of IT Operations at Netlock Ltd.

Please allow me to reflect on the issues you have raised.

As a result of broader review of our processes and practices we had identified some of the main gaps that led to our lack of timely updates. To address these issues we made some structural changes in our organization and processes.
As part of these changes we would like to initiate the modification of our primary and secondary POC persons or addresses. Please let us know about the process on how to do that.
As for your kind information Viktor is now part of our advisory team and a dedicated team will take over his duties as contact person in cases with Mozilla from now on.
We believe that these changes will allow us to fully satisfy all the requirements in Mozilla policy in this case and in the future.
Please let us know if detailed incident report regarding this issue is needed also, given the information above and the actions we are taking?

Kind regards
Szabolcs

Kathleen: I missed Comment #3 last week - You'd be the one to chat with on the CCADB side.

Szabolcs: Can you indicate the Bugzilla account(s) to be used in the future?

Flags: needinfo?(kwilson)

Setting N-I to Wayne as to whether Comment #3 addresses Comment #0

Flags: needinfo?(wthayer)

Clearing my needinfo. I sent email to Szabolcs on August 27 requesting details about how to update Netlock's POCs in the CCADB. I plan to make the changes when I receive a reply to that email.

Flags: needinfo?(kwilson)

(In reply to Kathleen Wilson from comment #6)

Clearing my needinfo. I sent email to Szabolcs on August 27 requesting details about how to update Netlock's POCs in the CCADB. I plan to make the changes when I receive a reply to that email.

Dear Kathleen,
I sent you by mail the request to update the POC in the CCADB to Szabolcs.
At first Szabolcs will replacing Andras Somkuti as contact.
Sincerely yours, Viktor

Confirmed that CCADB has been updated. Bug 1462423 has also been resolved.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(wthayer)
Resolution: --- → FIXED
Product: NSS → CA Program
Summary: Netlock: Failure to provide regular and timely incident updates → NetLock: Failure to provide regular and timely incident updates
Whiteboard: [ca-compliance] → [ca-compliance] [policy-failure]
You need to log in before you can comment on or make changes to this bug.