Closed Bug 1772412 Opened 3 years ago Closed 3 years ago

iTrusChina: Failure to Respond to May 2022 Survey

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bwilson, Assigned: vTrus_contact)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

Pursuant to Mozilla Root Store Policy section 4.2, https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#42-surveys, "CA operators are REQUIRED to respond to the surveys with accurate information, within the timescale defined in the survey." May 31, 2022, was the time by which iTrusChina was required to respond to the May 2022 Communication and Survey and has failed to do so.

Assignee: bwilson → vTrus_contact
Status: NEW → ASSIGNED
Flags: needinfo?(vTrus_contact)

We have completed the submission today. In fact, we completed the filling and submission of the survey as early as May 20, but we didn't realize that the submission was not successful. We also forgot to check whether there were our responses on wiki.mozilla.org, so we missed the deadline of May 31. I'm sorry for that. We'll pay more attention to it next time.

Flags: needinfo?(vTrus_contact)
  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in the MDSP mailing list, a Bugzilla bug, or internal self-audit), and the time and date.

We received an email from Ben Wilson this morning (June 3, 2022) and learned that the survey reply previously filled in was not submitted successfully.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

We completed and submit it on may20,2022, visited https://wiki.mozilla.org/CA/Communications#May_2022_Responses
and saw the list of responses from items 1 to 10 as our successful submission , but we did not click into the items’ links to see if there are responses from us .

When we received reminder email on June 1, 2022, we thought it was a reminder email automatically sent by the system, but we didn't realize that our submission was unsuccessful, so we only replied to that email saying that we had submitted.

At 9:30 on June 3, 2022, we received an email from bugzilla to know that it was not submitted successfully.

We resubmitted at 10:00 on June 3, 2022, and visited https://wiki.mozilla.org/CA/Communications#May_2022_Responses
to confirm that it has been submitted successfully.

  1. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

This is not a case involving certificates, and we did not issue certificates during the resolution of the problem.

  1. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

This is not a case involving certificates.

  1. In a case involving TLS server certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. It is also recommended that you use this form in your list "https://crt.sh/?sha256=[sha256-hash]", unless circumstances dictate otherwise. When the incident being reported involves an SMIME certificate, if disclosure of personally identifiable information in the certificate may be contrary to applicable law, please provide at least the certificate serial number and SHA256 hash of the certificate. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

This is not a case involving certificates.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

We have not get another person to review the submission, so we failed to find that the submission was not successful at that time.
We resubmitted at 10:00 on June 3, 2022, and asked another person to visit https://wiki.mozilla.org/CA/Communications#May_2022_Responses
to confirm that it has been submitted successfully.

  1. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

We review the root policy by a team, but fill in and submit the survey by a single person. In the future, we will have a second person to review, to avoid such problems.

I will close this on or about Friday, 10-June-2022.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [policy-failure]
Whiteboard: [ca-compliance] [policy-failure] → [ca-compliance] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.