Closed Bug 1772414 Opened 2 years ago Closed 2 years ago

E-Tugra: Failure to Respond to May 2022 Survey

Categories

(CA Program :: CA Certificate Compliance, task)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: bwilson, Assigned: dtokgoz)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

Pursuant to Mozilla Root Store Policy section 4.2, https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#42-surveys, "CA operators are REQUIRED to respond to the surveys with accurate information, within the timescale defined in the survey." May 31, 2022, was the time by which E-Tuğra was required to respond to the May 2022 Communication and Survey and has failed to do so.

Assignee: bwilson → dtokgoz
Status: NEW → ASSIGNED
Flags: needinfo?(dtokgoz)
Flags: needinfo?(dtokgoz)

Our Incident Report as follow
1 . How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in the MDSP mailing list, a Bugzilla bug, or internal self-audit), and the time and date.

An email from Mozilla (Ben Wilson) and Bugzilla Bug notification email of this bug were received on June 3, 2022.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

• We were notified about the survey on 18-May-2022, during a regular CCADB check. A task is created on task list. The due date was set as 01-June-2022.
• We prepared the answers and created other tasks for compliance.
• Reminder email received from Mozilla (Ben Wilson) on 01-June-2022
• We faced a conflict on an answer of survey item and, the assumption that the deadline was postponed to the 10-June-2022 because of misunderstanding of expiration date info of Survey on https://ccadb.force.com/s/ca-communications, we postponed the submission of survey 1 or 2 more days.
• The bug was opened by Mozilla on 03-June-2022.
• As soon as we got the notification of the bug, we completed the survey on 03-June-2022.

  1. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

No certificates are involved in the incident.

  1. In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.

No certificates are involved in the incident.

  1. In a case involving TLS server certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. It is also recommended that you use this form in your list "https://crt.sh/?sha256=[sha256-hash]", unless circumstances dictate otherwise. When the incident being reported involves an SMIME certificate, if disclosure of personally identifiable information in the certificate may be contrary to applicable law, please provide at least the certificate serial number and SHA256 hash of the certificate. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

No certificates are involved in the incident.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

We missed the deadline of Survey due to some internal discussion on some points which took more time than expected and calendar notifications for the deadline were missed slipped. Also misunderstanding of the expiration date value of the Survey did cause a slippages on deadline.

  1. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

We developed a cross control mechanism and shared calendar for tracking ballots of Cabforum, responding to root policies requests of browsers and other critical compliance issues 2 years ago. But in this task, we saw that this mechanism was not applied.
To ensure this kind of incident will not happen in the future, we will apply this procedure in all tasks that are related to any task related in all relation of all browsers, Cabforum and all 3 party compliances. We have applied multiple notifications in our calendar and cross control process so that such important things are not slipped and executed within a defined timeframe.

I will close this on or about Friday, 10-June-2022.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Summary: E-Tuğra: Failure to Respond to May 2022 Survey → E-Tugra: Failure to Respond to May 2022 Survey
Whiteboard: [ca-compliance] → [ca-compliance] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.