Closed Bug 1886626 Opened 1 year ago Closed 1 year ago

certSIGN: Delayed response to CPR

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gabriel.petcu, Assigned: gabriel.petcu)

Details

(Whiteboard: [ca-compliance] [policy-failure])

Incident Report

Delayed response to a certificate problem report in a complete and/or timely manner.

Summary

certSIGN failed to receive an email with a Certificate Problem Report, as it was marked as junk, so it did not respond to it. Miss-compliance to CABF BR #4.9.3 Procedure for revocation request: “The CA SHALL maintain a continuous 24x7 ability to accept and respond to revocation requests and Certificate Problem Reports.”.

Impact

The Certificate Problem Report was not acknowledged in the due time.

Timeline

All times are UTC.

2024-03-05:

  • 15:19 an email was received on the address revokecsgn@certsign.ro with a Certificate Problem Report about a non-conformity on the Subject Attribute Encoding order
  • 10:18 the email was marked as Junk, due to the email filter from the Office 365.

2024-03-18:

  • 13:07 an email was received from a different sender email address with the same Certificate Problem Report, that was not marked as Junk
  • 16:00 start to investigate the reasons related to missing the certificate problem report email
  • 16:10 the third party informing certSIGN on the Certificate Problem Report was acknowledged

2024-03-20:

  • 08:00 certSIGN informed the WebTrust auditors about the incident
  • 22:30 the incident report was registered in Bugzilla

Root Cause Analysis

The email filter on the sender: dickson.linting.experiment@gmail.com sent the email to junk, so the email was not read.

Lessons Learned

What went well

  • Immediate actions were taken when the cause was identified – reading the Junk emails

What didn't go well

  • The persons responsible for receiving the emails on the revokecsgn@certsign.ro did not check the junk email folder

Where we got lucky

  • After checking the Junk folder only this email was a legitimate revocation request

Action Items

| Action Item | Kind | Due Date | Status |

| Analyze the problem | Analyze | 2024-03-18 | Done |

| Check all emails in the Junk folder | Correct | 2024-03-18 | Done |

| Train the responsibles regarding the Problem reporting mechanism| Prevent | 2024-03-29 | In progress |

Appendix

N/A

Based on Incident Reporting Template v. 2.0

Assignee: nobody → gabriel.petcu
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [policy-failure]
Type: defect → task

We revoked the non-conformant certificate within the maximum period of 5 days since certSIGN acknowledged the reception of the CPR.

The responsibles allocated on the Problem reporting mechanism had an internal meeting, on 29.03.2024, focusing on different scenarios when emails received from external may be lost. The main effective action is a daily check of the Junk and Spam folders, that was included in the routine email check.
All the action items are closed now.

We have no additional actions and consider the bug resolved unless there are further questions.

We have no additional actions and consider the bug resolved unless there are further questions.

I can close this sometime May 20 - 24, provided that questions about the junk email filter/folder are appropriately answered in Bugzilla Bug # 1886627.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.