Closed Bug 1659426 Opened 4 years ago Closed 4 years ago

E-Tugra: audit delay because of an environmental disaster/pandemic

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dtokgoz, Assigned: dtokgoz)

Details

(Whiteboard: [ca-compliance] [audit-failure] [covid-19])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
    E-Tugra become aware of the problem on 20th July. And aim to complete the audits on 17th August. As today we cannot start schedule the audit with auditor in 17th August, because of lockdown because of an environmental disaster/pandemic.

  2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
    Last Audit Covers the dates August 03th 2018 - July 26th 2019

Next Audit was planned in before 20th July, and sending the audit reports in at most 15th October. But due to COVID-19 and some local restrictions, the audits were postponed and planned to start in the 17th August with Auditor.

But In the last circumstance we need to postpone it again to September. The exact dates will be defined in next week.

Under this condition the audits can be completed on beginning of September and the report can be prepared as much as in short time.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
    Current CA operations are continuing as normal. We are aiming to complete audit on September. Deliver the report as soon as possible.

  2. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
    N/A

  3. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
    N/A

  4. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
    The current restrictions on work and international travel throughout the world has impacted the usual timelines for audit procedures.

  5. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
    E-Tugra and auditors are trying to the best to completed audits. We hope this unexpected force majeures will disappear. Other wise a new method or schedule process will be defined for next audits.

Summary: E-Tugra: Tracking bug for audit delays → E-Tugra: audit delay because of an environmental disaster/pandemic
Whiteboard: [ca-compliance][audit-delay][covid-19]

(In reply to Davut Tokgöz from comment #1)

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
    E-Tugra become aware of the problem on 20th July. And aim to complete the audits on 17th August. As today we cannot start schedule the audit with auditor in 17th August, because of lockdown because of an environmental disaster/pandemic.

  2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
    Last Audit Covers the dates August 03th 2018 - July 26th 2019

Next Audit was planned in before 20th July, and sending the audit reports in at most 15th October. But due to COVID-19 and some local restrictions, the audits were postponed and planned to start in the 17th August with Auditor.

But In the last circumstance we need to postpone it again to September. The exact dates will be defined in next week.

Under this condition the audits can be completed on beginning of September and the report can be prepared as much as in short time.

Davut,

Can you please share more precise details around this? You can see https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay for the minimum expectations. The goal here is to be fully transparent about operations to help allow independent verification.

Assignee: bwilson → dtokgoz
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true

E-Tugra is CA company based on Turkey and works with LSTI in ETSI based auditing for CabForum and Browsers' root policy requirements.
LSTI is Auditing company based on France.
As in all world and France, Covid19 pandemic problems began in Turkey in March and still continue with decreasing affect.
Curfew was imposed until beginning of June and all international flights were suspended until end of May. limited commercial flights to European based countries was started on June 12th in Turkey
Until end of June, the risk of covid19 continued in the e-tugra center location. During this period, the majority of our staff continued to work from home. We ensured that the minimum amount of personnel that would be needed continues to work at the e-tugra center.
Due to these uncertainty of whether transportation, accommodation and physical access, we could not plan to perform the audit, before July 26th.
LSTI tried to do best to organize and to make audits during this process and had trouble planning all of their audits that include e-tugra.
In July, the risk of pandemic began to considerably reduced and LSTI aimed to organize an audit that would be start at August 17th. But due to restriction on auditors' workload, other auditing plans, we could not realize it at August 17th.
Together with the audit firm, we are currently working on the completion of the audit in September. LSTI is also working on the possibility of partial or full remote auditing.
We will inform all parties as soon as new information is available about the dates for the execution of the audit and the preparation of the audit letter

E-Tugra 2020 yearly audit was completed on between Sep 21st-25th by LSTI. LSTI will perform the best on preparing and finalizing audit report and audit letter. When the reports are ready, we will announce here.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance][audit-delay][covid-19] → [ca-compliance] [audit-failure] [covid-19]
You need to log in before you can comment on or make changes to this bug.