Izenpe: Failure to Submit Annual CCADB Self-Assessment
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: cclements, Assigned: d-fernandez)
Details
(Whiteboard: [ca-compliance] [disclosure-failure] [external])
Section 6. Annual Self-Assessments of the Chrome Root Program Policy requires CA Owners to submit an annual self-assessment to the CCADB.
The initial annual self-assessment for Izenpe S.A. was required in January, 2024. As of March 4, 2024, Izenpe S.A. has not submitted an initial annual self-assessment in accordance with the Chrome Root Program Policy and an incident report is now requested.
Hi,
in the following 24 hours we will provide further details about this issue. In the meanwhile, would it be possible to know when the email was sent and from which domain? It is not the first time we miss some email coming from the ccadb due to the email server filters.
Regards,
|
||
Comment 2•4 months ago
|
||
In the meanwhile, would it be possible to know when the email was sent and from which domain? It is not the first time we miss some email coming from the ccadb due to the email server filters.
Hi David. AFAICT, Chris didn't say anything about any email being sent.
I agree that it's helpful when CCADB sends reminder notifications about required deliverables, but these are a "nice to have" rather than something that a CA Owner should become reliant on receiving.
Submitting annual self-assessments is a requirement of the Chrome Root Program Policy. That Policy is the notification of this requirement, which means that it's now entirely the responsibility of each CA Owner to remember to comply with that requirement.
Hi Rob,
Maybe I didn't express myself as I should referring a notification. I agree with you we can't rely on any notification sent by anyone, and in this case it's been entirely our mistake for not fulfilling the annual assessment.
My concerns were that in the past, one email sent by Apple through CCADB, never reached us because it had been filtered by our email server (and since then we check the CCADB manually just in case there is a notification), if this had been the case, we would have proceed to review again the email server filters.
Incident Report
Summary
Izenpe has not provided the Annual Self-Assessment required by the Chrome Root Program within the 92 days of the "BR Audit Period End Date".
Impact
This delay is an incident as stated in the Section 7 of the Chrome Root Program.
Timeline
2024-03-04:
20:36 An email was received from Bugzilla warning us a new Bug had been open.
Root Cause Analysis
Mistakenly, we had assumed the end date for the self-assessment was 3 months later of the audit statement date.
Lessons Learned
What went well
- Nothing in this situation.
What didn't go well
- We do not ensure a double-check of the Root Programs as we do with CabForum.
Where we got lucky
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Another person will also check the Root Programs (ja-saez@izenpe.eus) | Prevent | 2024-03-07 |
| Self assessment will be sent | Remediation | 2024-03-14 |
| Following self assessments will be sent at the same time we upload the annual audit | Remediation | 2024-12 |
Appendix
Details of affected certificates
|
Reporter | |
Comment 6•4 months ago
|
||
Thank you for submitting the self-assessment to the CCADB. Also, thank you for this report, but it does not meet the expectations detailed on the CCADB Incident Reports page. Some updates are requested.
Request for update #1: The Timeline section should be updated to include all of the events detailed on the CCADB Incident Reports page. “The timeline must include not just the actual discovery of the incident [...]”
Request for update #2: The Root Cause Analysis section should be updated to include a detailed analysis of the combined conditions that created the issue. As stated on the CCADB Incident Reports page “It is unusual for an incident to have a single root cause”.
- What were all of the conditions which combined to give rise to this issue? (e.g., Why was the mistake made? What led to the wrong assumption? Why was the assumption never challenged? Why are Root Program requirements seemingly treated differently than CA/Browser Forum requirements? etc.)
Request for update #3: The Lessons Learned and corresponding Action Items should be updated after performing a more robust Root Cause Analysis. Lessons Learned intend to help others avoid the same root cause of this incident. Action Items intend to prevent similar incidents in the future by addressing the root cause. Consider the three types of actions detailed on the CCADB Incident Reports page, which are Prevent, Mitigate, and Detect. The Action Items must create additional protections to instill confidence in the community that this issue will not recur in the future.
Thanks for your comments, I have rebuilt the incident report trying to fulfill your requests.
Incident Report
Summary
Izenpe has not provided the Annual Self-Assessment required by the Chrome Root Program within the 92 days of the "BR Audit Period End Date".
Impact
This delay is an incident as stated in the Section 7 of the Chrome Root Program.
Timeline
2023-10-30
Audit Period End Date.
2023-12-20
Audit Statement Date.
2024-01-16:
Chrome Root Program Policy v1.5 states self-assessment "MUST be completed and submitted to the CCADB within 92 calendar days from the CA Owner's earliest appearing root record “BR Audit Period End Date”
2024-01-30
Last day to submit the self-assessment. Izenpe failed on it.
2024-03-04:
20:36 An email was received from Bugzilla warning us a new Bug had been open regarding not submitting the self-assessment on time.
2024-03-14
The self-assessment is sent to the CCADB
2024-03-21
Internal ticket created to two different people to review again the Root Programs.Root Cause Analysis
While CabForum BR guidelines are reviewed by at least 3 people as they impact Izenpe on several areas, Root Programs
have not been paid the same attention and been reviewed by more than one person.
During the last review of Chrome's Root program, we noticed there was a change (from the previous version) on the days within the self-assessment must be submitted but we still had
assumed on our scheduling that the date that has to be considered, was the date when the audit statement was signed.Lessons Learned
What went well
- Nothing in this situation.
What didn't go well
- An exhaust check of the root programs has not been done and we have no internal traceability of them and the actions that should be taken or have been taken.
- Thus, we do not ensure a double-check of the Root Programs and the actions are not reviewed by anyone else.
Where we got lucky
Action Items
Action Item Kind Due Date Self assessment will be sent Remediation 2024-03-14 At least two people will be assigned to check the Root Programs Prevent 2024-03-21 A new internal ticket regarding the root programs will be open and assigned to two different people to be reviewed Detect 2024-04-21 A task will be created on our ticketing system with every new version of Root Programs Prevent 2024-xx-xx Following self assessments will be sent at the same time we upload the annual audit Remediation 2024-12 Appendix
Details of affected certificates
Description
•