Closed Bug 1838860 Opened 2 years ago Closed 2 years ago

Tuntrust: Failure to Respond to April 2023 Survey

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: cclements, Assigned: pki)

Details

(Whiteboard: [ca-compliance] [disclosure-failure] )

Section 9. Timely and Transparent Communications of the Chrome Root Program policy requires CA Owners respond to CCADB communications within 14 calendar days unless specified otherwise.

The “Google Chrome Root Program: April 2023 CA Owner Survey” CCADB mass email and survey was sent on April 24, 2023. CA Owners with certificates included in the Chrome Root Store were required to respond to the survey by June 9, 2023.

As of June 16, 2023, Tuntrust has not responded to the survey and an incident report is now requested.

(In reply to Chris Clements from comment #0)

Section 9. Timely and Transparent Communications of the Chrome Root Program policy requires CA Owners respond to CCADB communications within 14 calendar days unless specified otherwise.

The “Google Chrome Root Program: April 2023 CA Owner Survey” CCADB mass email and survey was sent on April 24, 2023. CA Owners with certificates included in the Chrome Root Store were required to respond to the survey by June 9, 2023.

As of June 16, 2023, Tuntrust has not responded to the survey and an incident report is now requested.

Hello,
This issue has been taken into consideration since we received the notification of the bug creation by email.
We are currently preparing the incident report and finishing the response to the survey. We will post the incident report here as soon as possible.
As for the answers to the survey, can we still use the link provided by email ( https://forms.gle/Rd6EeXye2aqEzN7V8 ) ?

Thank you.

Best regards,
Ons Echikh Zaouali (she/her)

Flags: needinfo?(cclements)

Hi Ons, yes - the survey is still accessible via the link provided in the original email. Thank you.

Flags: needinfo?(cclements)

Please find below the incident report related to this bug.

1. How your CA first became aware of the problem (e.g., via a problem report submitted to your Problem Reporting Mechanism, a discussion in the MDSP or CCADB public mailing list, a Bugzilla bug, or internal self-audit), and the time and date.

We became aware of the problem when we were notified by email (to our email contact pki@tuntrust.tn) of this bug having been opened in Bugzilla. We received the email on Friday June 16th, 2023 at 14:07 (Tunisia local time).

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a requirement became applicable, a document changed, a bug was introduced, or an audit was performed.

Date and time Action
16 June 2023 at 14:07 The issue was taken in charge by the Board of Directors since receiving the email notification.
16 - 21 June 2023 Prepare the incident report
16 June – still ongoing Finalize the answers to the Survey

3. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

This is not applicable in the context of this incident.

4.In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g., OCSP failures, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help measure the severity of each problem.

This is not applicable in the context of this incident.

5.In a case involving TLS server certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. It is also recommended that you use this form in your list “https://crt.sh/?sha256=[sha256-hash]”, unless circumstances dictate otherwise. When the incident being reported involves an SMIME certificate, if disclosure of personally identifiable information in the certificate may be contrary to applicable law, please provide at least the certificate serial number and SHA256 hash of the certificate. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

This is not applicable in the context of this incident.

6.Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
We could not finish answering the survey before the deadline.

The survey questions required thoughtful analysis by all stakeholders, a lot of data analysis and discussions within TunTrust’s Board of Directors and with the supervisory ministry and making important decisions. Therefore, we could not make it before the deadline.

7. List of steps your CA is taking to resolve the situation and ensure that such a situation or incident will not be repeated in the future. The steps should include the action(s) for resolving the issue, the status of each action, and the date each action will be completed.

We would like to know if it is possible in the future surveys, to answer partially on the survey questions and/or ask for an extension when the deadline is almost reached and we have not yet reached conclusions.

Flags: needinfo?(cclements)

The survey questions required thoughtful analysis by all stakeholders, a lot of data analysis and discussions within TunTrust’s Board of Directors and with the supervisory ministry and making important decisions. Therefore, we could not make it before the deadline.

As expressed in the introduction of the survey, we understood the length and level of detail requested by the survey. We were hoping that by combining multiple areas of interest into a single survey with an extended response window it would be less disruptive to CA owners than having to respond to several smaller surveys. CA owner feedback on this approach was positive. Nearly all of the CA owners included in the Chrome Root Store responded to the survey by the requested deadline while also managing to include a great level of detail and candor in their responses.

  1. Comment 3 does not clearly describe why TunTrust could not complete the survey in the prescribed time frame. Can you please explain the reason and root cause?
  2. With the root cause identified, can you also explain how TunTrust will avoid repeating this behavior in the future?

We would like to know if it is possible in the future surveys, to answer partially on the survey questions and/or ask for an extension when the deadline is almost reached and we have not yet reached conclusions.

Also expressed in the introduction of the survey, we expect CA owners to be candid in responding to the form, as survey results are intended to inform potential future updates to the Chrome Root Program policy.

  1. We are not aware of any attempts by TunTrust to communicate concerns related to a submission delay with our program team before we opened this incident a week after the survey response was due. Can you explain why an expected delay in survey response was not communicated to our team in advance?
Flags: needinfo?(cclements)

Please find below our answers to your questions.

Q1: Comment 3 does not clearly describe why TunTrust could not complete the survey in the prescribed time frame. Can you please explain the reason and root cause?
Q3: We are not aware of any attempts by TunTrust to communicate concerns related to a submission delay with our program team before we opened this incident a week after the survey response was due. Can you explain why an expected delay in survey response was not communicated to our team in advance?

Responding to browsers’ surveys, inquiries and communications has always been dealt with as point-in-time actions and has not been governed by a specific internal procedure.
For this specific survey, we needed more time to answer the questions because (i) we had many rounds of reviews and discussions between all stakeholders that could not unfortunately end before the deadline and (ii) the survey contained 5 important sections whose impact is considerable, as such we wanted to ensure we address these in a thoughtful manner.
Unfortunately, the deadline (June 9) was reached and we did not think that it was possible to be granted an extension by the Chrome Root Program. We stopped the work on answering the survey’s questions on June 9 as we thought it was closed. We received the incident notification on Bugzilla on June 16 and we resumed answering the survey since then. We submitted our answers on June 23rd.

Q2: With the root cause identified, can you also explain how TunTrust will avoid repeating this behavior in the future?

Action Date Status
Prepare an internal procedure for dealing with browsers’ surveys, inquiries and communications that takes into consideration the following: (i) Calendarize all necessary rounds of reviews with sufficient buffer prior to the submission deadline and (ii) build in placeholders in the calendar for any communications/escalations to Browsers if any clarifications are required or to communicate the need for more time to complete, etc. July 7th 2023 Ongoing

Please find below an update to our action plan.

Action Date Status
Prepare an internal procedure for dealing with browsers’ surveys, inquiries and communications that takes into consideration the following: (i) Calendarize all necessary rounds of reviews with sufficient buffer prior to the submission deadline and (ii) build in placeholders in calendar for any communications/escalations to Browsers if any clarifications are required or to communicate the need for more time to complete, etc. July 7th 2023 Done

I believe this case can be closed. Please provide any final comments or questions before Friday, 29-Sept-2023.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.