Cybertrust Japan (CTJ) operate subordinate CAs signed by Security Communication RootCA2 (SECOM).
Therefore, SECOM post an incident report prepared by CTJ on behalf of them.
CTJ undergo WebTrust audit by themselves so that their audit reports exist independently from SECOM.
Here is an incident report.
In a follow-up report, CTJ may reply with details on this matter and the audit depending on the contents.
The incident report
1. How your CA first became aware of the problem.
CTJ identified the problem of annual update of CPS.
BR section 2.3 and Mozilla Root Store Policy 3.3 state that CA SHALL annually update all CPs and CPSes even if no other changes are made to the document.
The CPS update is overdue.
- CPS Last Update: Apr 1 2021 as version 1.2
- CPs Last Update: Nov 30 2021
This time, while a CA Supervisor with RA and IA team were reviewing a draft of next CPS update (version 1.3) and CPs, they realized this issue.
2. A timeline of the actions your CA took in response.
All date and time are JST.
4/1/2021 CTJ: CPS version 1.2 was published
5/11 11:10 2022 CTJ: Identified the issue
5/11 11:34 CTJ: Informed Policy Authority (PA)
5/11 13:00 CTJ: PA meeting held
5/11 17:00 CTJ: Informed SECOM Trust Systems (SECOM)
5/12 9:00 ? 17:00 CTJ: PA discussion held several times to analyze cause and remediation plans thoroughly
5/12 17:37 CTJ: Informed Auditor
5/12 18:00 CTJ: Submitted Incident Report for Review to SECOM
3. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident.
Certificate issuance was not stopped because the issue did not result in misissuance of certificates.
4. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.)
5. In a case involving certificates, the complete certificate data for the problematic certificates.
6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
We had an opportunity to revise our polices last November, so we reviewed all CPs and CPS. And we concluded that CPs were needed to revise. We think that we missed an opportunity to update CPS. Then, we also investigated why we missed to update from last November to April 1 of this year. PA regular meetings have been hold monthly, and PA actually discussed about policy in March meeting. However, we concluded that no revision was necessary. Again, we missed opportunity to update “even if no other changes are made to the document.” These are not the cause, but facts. The cause we think is that proposal of policy update had been raised by CA supervisor. This action usually starts when industry standards or browser policy change. With that approach, annual assessment and updating of policies even if no other changes are made to the documents will be missed.
7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
It will be described in the next report.
Thank you for your consideration.