Closed Bug 1772413 Opened 8 months ago Closed 8 months ago

eMudhra: Failure to Respond to May 2022 Survey

Categories

(CA Program :: CA Certificate Compliance, task)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: bwilson, Assigned: vijay)

Details

(Whiteboard: [ca-compliance])

Pursuant to Mozilla Root Store Policy section 4.2, https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#42-surveys, "CA operators are REQUIRED to respond to the surveys with accurate information, within the timescale defined in the survey." May 31, 2022, was the time by which eMudhra was required to respond to the May 2022 Communication and Survey and has failed to do so.

Assignee: bwilson → vijay
Status: NEW → ASSIGNED
Flags: needinfo?(vijay)

Summary:
This is with reference to our delay/failure to timely submit the Survey response to Mozilla.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in the MDSP mailing list, a Bugzilla bug, or internal self-audit), and the time and date.

We came to know through an email from Mozilla on June 3, 2022.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

Learnt about the May Survey via discussions in MSDP on 13-May-2022 and 17-May-2022
Email about the Survey from CCADB received on 17-May-2022.
Internally, compliance team has been working on changes and impact analysis. The work on finalizing survey response are taken up by same team.
Reminder email received from Mozilla on 01-June-2022
Bug initiated on 03-June-2022
We filed our finalized response to the survey on 03-June-2022
Verified the responses available at https://wiki.mozilla.org/CA/Communications#May_2022_Responses

  1. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

This is not applicable, as no certificates are involved in the incident. No policy violation has been made for certificate issuances during the period between June 01st to June 03rd 2022 (New policy effective date, until this incident resolution date).

  1. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

This is not applicable, as no certificates are involved in the incident.

  1. In a case involving TLS server certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. It is also recommended that you use this form in your list "https://crt.sh/?sha256=[sha256-hash]", unless circumstances dictate otherwise. When the incident being reported involves an SMIME certificate, if disclosure of personally identifiable information in the certificate may be contrary to applicable law, please provide at least the certificate serial number and SHA256 hash of the certificate. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

This is not applicable, as no certificates are involved in the incident.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

We missed the deadline of Survey submission due to inadvertence which caused delay. In future we will be more alert.

  1. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

We have now put the Mozilla survey items among top priority which will be regularly monitored to avoid slippages.

Flags: needinfo?(vijay)

I will close this on or about Friday, 10-June-2022.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.