Closed Bug 1846216 Opened 1 year ago Closed 1 year ago

Disig: Failure to Respond to Jun 2023 Apple Root Program Survey

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: peter.miskovic, Assigned: peter.miskovic)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

On July 28, 2023 we were informed as a Apple Root Program Member via e-mail from Rebecca Kelley (V) rebecca_kelley@apple.com that we didn’t respond on the Apple CA Communication | 2023 Root Policy Update and Survey which was send to us via e-mail on Jun 22, 2023.

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

20230623 19:15 CET(UTC+2) “ Apple CA Communication | 2023 Root Policy Update and Survey” CCADB mass email and survey have been sent to Disig representative in Apple Root Program .
20230728 19:21 CET(UTC+2) Disig is aware of this problem through e-mail from Apple Root Program (Rebecca Kelley).
20230731 07:00 CET(UTC+2) The investigation was initiated by CA manager (Peter Miskovic)
20230731 08:00 CET(UTC+2) Disig began to prepare to fill out the survey.
20230731 08:25 CET(UTC+2) Disig completed the survey and submitted it via e-mail to rebecca_kelley@apple.com.

  1. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.

CA has not stopped issuing certificates as this incident did not produce misissued certificates.

4.In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g., OCSP failures, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help measure the severity of each problem.

N/A

  1. In a case involving TLS server certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. It is also recommended that you use this form in your list “https://crt.sh/?sha256=[sha256-hash]”, unless circumstances dictate otherwise. When the incident being reported involves an SMIME certificate, if disclosure of personally identifiable information in the certificate may be contrary to applicable law, please provide at least the certificate serial number and SHA256 hash of the certificate. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.

N/A

6.Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

We are sorry that this survey was overlooked on our end. This is a failure of CA management, specifically of me (Peter Miskovic), where I did not consistently mark the task on my calendar, as I usually do, in order to complete and submit the survey on time.
In fact, my attention was distracted during this period by having problems with my PC, which I was dealing with at the time, and I lost a lot of data due to the failure of the security policy in place. We acknowledge that it was an oversight on my part. When we became aware of the issue through an alert from Rebecca Kelley, we took it seriously and immediately completed this survey and send it to the Apple Root Program.

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

We immediately launched an internal investigation when we learned of the issue via email, and quickly confirmed that the cause of the issue was the fact that we missed the survey because we didn't consistently mark the deadline for sending it.
By taking the following preventive measures, we will ensure that similar problems do not recur in the future.
With every communication that will be sent to us from the Apple Root Program, we will immediately and consistently note in the tasks that there is an obligation to complete the task even with an exact deadline, namely the two persons responsible for communication with the program (Peter Miskovic, Jozef Nigut).
Likewise, any need for communication with a specified due date with any root program of which we are a member will be introduced into the internal monitoring system, which will notify us in time of the approaching due date.

Assignee: nobody → peter.miskovic
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [disclosure-failure]
Component: Common CA Database → CA Certificate Compliance

Unless there are additional questions or comments, I intend to close this matter on Friday, 29-Sept-2023.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.