Open Bug 1728790 Opened 15 days ago Updated 10 days ago

emSign Audit Delay: Incident Report

Categories

(NSS :: CA Certificate Compliance, task)

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: vijay, Assigned: vijay)

Details

(Whiteboard: [ca-compliance][audit-delay][covid-19])

Attachments

(6 files)

Summary:
This incident submission is related to the delay encountered by emSign CA (eMudhra) in submission of Audit Statements. Our annual audit period for all emSign CAs runs from June 1st of one year to May 31st of the following year. Current year audit was commenced on time, and was aimed to close by end of July-2021. However, sporadic local lockdowns in India due to second wave and other travel restrictions caused some delays. Mozilla Policy (https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay) requires the latest statements to be “provided to Mozilla via the CCADB within three months of the point-in-time date or the end date of the period”. We had one month buffer time to the cut-off date of 31-Aug-2021 (compared to estimated completion date of July end), and were in continuous coordination with our auditor. However, the final seals are still not available. This week, auditor has expressed uncertain delays being encountered (attached letter) and given estimated date of third week of Sep-2021, for availability of Statements / Seals. In the meanwhile, Auditor has confirmed of successful completion of Audit via the report dated 27-Aug-2021. These are expected to be published through Webtrust Seals / CPA Canada.

How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
We became aware of the problem (delay) during August, but were in coordination with Auditor for timely closure.

A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
Current Audit period: 01-Jun-2020 to 31-May-2021
Audit Commencement Date: 08-Jun-2021
Audit Report Date: 27-Aug-2021
Audit Statement Publication / Webtrust Seals: Expected by third week of Sep-2021

Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
Not applicable for this issue.

A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
Not applicable for this issue.

The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
Not applicable for this issue.

Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
The current Covid-19 pandemic is unprecedented. The current restrictions and international travel in the region has impacted the usual timelines for audit procedures for both emSign and the Auditor.

List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Current Audit Statement submission to CCADB website is expected to be completed maximum by third week of September 2021. We are working with Auditor to follow and adhere to this timeline. For future audits, we are expecting the situation to be much better. We understand the criticality of timely audit closure and have been working on improving the timelines with Auditors, even in the situations like this. emSign Policy Authority is vigilant towards this direction.

Whiteboard: [ca-compliance][audit-delay][covid-19]
Assignee: bwilson → vijay
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

As an update to this thread, there is no change in the status of Webtrust Seals arrival, and we are waiting for the update from our Auditor (estimated by third week of Sep-2021).

In the meanwhile, we are herewith attaching our 2021 WebTrust audit reports as received from our Auditor. Mozilla Policy (https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay) requires the latest statements to be “provided to Mozilla via the CCADB within three months of the point-in-time date or the end date of the period”. However, as reported in this incident, there is delay on arrival of Webtrust Seals from our Auditor / CPA Canada due to the reasons expressed by Auditor in the attachment. Once these Webtrust Seals are made available, the latest reports will be updated via CPA Canada link in our Repository. In the interim, we are publishing the audit reports received from our auditor as part of attachments to this incident, and using those URLs to submit necessary Audit case in CCADB.

You need to log in before you can comment on or make changes to this bug.