SECOM: Failed an annual CPS update of Cybertrust Japan (CTJ)
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: h-kamo, Assigned: h-kamo)
Details
(Whiteboard: [ca-compliance] [policy-failure])
Cybertrust Japan (CTJ) operate subordinate CAs signed by Security Communication RootCA2 (SECOM).
Therefore, SECOM post an incident report prepared by CTJ on behalf of them.
CTJ undergo WebTrust audit by themselves so that their audit reports exist independently from SECOM.
Here is an incident report.
In a follow-up report, CTJ may reply with details on this matter and the audit depending on the contents.
The incident report
1. How your CA first became aware of the problem.
CTJ identified the problem of annual update of CPS.
BR section 2.3 and Mozilla Root Store Policy 3.3 state that CA SHALL annually update all CPs and CPSes even if no other changes are made to the document.
The CPS update is overdue.
- CPS Last Update: Apr 1 2021 as version 1.2
- CPs Last Update: Nov 30 2021
This time, while a CA Supervisor with RA and IA team were reviewing a draft of next CPS update (version 1.3) and CPs, they realized this issue.
2. A timeline of the actions your CA took in response.
All date and time are JST.
4/1/2021 CTJ: CPS version 1.2 was published
5/11 11:10 2022 CTJ: Identified the issue
5/11 11:34 CTJ: Informed Policy Authority (PA)
5/11 13:00 CTJ: PA meeting held
5/11 17:00 CTJ: Informed SECOM Trust Systems (SECOM)
5/12 9:00 ? 17:00 CTJ: PA discussion held several times to analyze cause and remediation plans thoroughly
5/12 17:37 CTJ: Informed Auditor
5/12 18:00 CTJ: Submitted Incident Report for Review to SECOM
3. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident.
Certificate issuance was not stopped because the issue did not result in misissuance of certificates.
4. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.)
N/A.
5. In a case involving certificates, the complete certificate data for the problematic certificates.
N/A.
6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
We had an opportunity to revise our polices last November, so we reviewed all CPs and CPS. And we concluded that CPs were needed to revise. We think that we missed an opportunity to update CPS. Then, we also investigated why we missed to update from last November to April 1 of this year. PA regular meetings have been hold monthly, and PA actually discussed about policy in March meeting. However, we concluded that no revision was necessary. Again, we missed opportunity to update “even if no other changes are made to the document.” These are not the cause, but facts. The cause we think is that proposal of policy update had been raised by CA supervisor. This action usually starts when industry standards or browser policy change. With that approach, annual assessment and updating of policies even if no other changes are made to the documents will be missed.
7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
It will be described in the next report.
Thank you for your consideration.
Best regards,
Hisashi Kamo
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 1•3 years ago
|
||
Ben-san,
The CPS update (version 1.3) was made on May 13.
Please let us have some time for preparing #7 of our incident report.
Thank you for your consideration.
Best regards,
Hisashi Kamo
|
|
Assignee | |
Comment 2•3 years ago
|
||
Ben-san,
Here is comment #7 of our incident report.
7. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
(CTJ)
Strengthened annual assessment procedures.
CTJ transferred management of periodic annual assessments to the PA's task rather than the CA supervisor's task; changed to one where the PA develops and executes the plan. (May 20, 2022)
The schedule and status of the task will be reviewed at PA meetings monthly.
(SECOM)
As a Root CA, SECOM started to manage and check the revision status of CPs/CPSes of subordinate CAs and then we let them know before exceeding the renewal deadline of their annual update. (May 14, 2022)
Thank you for your consideration.
Best regards,
Hisashi Kamo
|
|
||
Comment 3•2 years ago
|
||
Kamo-san,
What other remediation steps, if any, are planned?
Thanks,
Ben
|
|
Assignee | |
Comment 4•2 years ago
|
||
Ben-san,
We believe the remediation is working properly.
The reformed monthly review by PA meeting has been started at CTJ, and SECOM is constantly checking the revision status of CPs/CPSes for subordinate CAs.
We are quite confident that continued implementaton above will prevent recurrence of this issue.
Thus, any additional steps are not planned.
Thank you for your consideration.
Best regards,
Hisashi Kamo
|
|
Assignee | |
Comment 5•2 years ago
|
||
Ben-san,
Reviewing monthly at CTJ PA meetings and checking revision status by SECOM are working properly.
We believe there are no other remediation steps related to this bug.
Thank you for your consideration.
Best regards,
Hisashi Kamo
|
|
||
Comment 6•2 years ago
|
||
I will close this bug on or about Friday, 15-Jul-2022.
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•5 months ago
|
Description
•