ACCV: Delayed response to CPR
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: jamador, Assigned: jamador)
Details
(Whiteboard: [ca-compliance] [policy-failure])
Incident Report
This is a preliminary report.
Delayed response to a certificate problem report in a complete and/or timely manner.
Summary
ACCV took several days to respond to a notification of problems in the issuance of certificates, which is in breach of point 4.9.3 of the BR.
The full reference can be found at
https://bugzilla.mozilla.org/show_bug.cgi?id=1884532
Impact
The Certificate Problem Report was not acknowledged in the due time.
Timeline
All times are UTC.
The provided timeline focuses solely on the events related to the delayed response to CPR.
2024-03-04:
- 13:00 An external observer sent a personal e-mail to the account accv@accv.es indicating a possible problem with the issuance. This email was not prioritised as urgent and was passed on for routine review by the support team.
2024-03-09:
- 08:30 After a routine review of the incidents received and referred to the compliance office, a warning is detected involving incorrectly issued certificates.
Root Cause Analysis
The email address for reporting problems in the issuance of certificates in CCADB is accv@accv.es. This is the generic account of our organisation and the one that appears on our website and as there were no precedents of similar incidents and it did not cause a problem in the issue, the severity of the problem was not understood and support sent it for the next routine review of the emails. In this case the revision did not take place until 2024-03-09, 08:30AM.
Lessons Learned
What went well
What didn't go well
Because there was no precedent for similar messages, the support staff mistook the message as commercial mail and forwarded it for analysis.
Where we got lucky
Action Items
Action Item | Kind | Due Date |
---|---|---|
Create an e-mail address only for communications from the Problem Reporting Mechanism that will go directly to the people responsible for these issues (problem_reporting@accv.es). This mailbox is assigned to 6 recipients from the compliance, technical and crisis teams. ACCV ensures that there are always at least two users available. ACCV will open a case in the CCADB to request it. | Prevent | 2024-03-25 |
----------- | ---- | -------- |
###Appendix
Based on Incident Reporting Template v. 2.0
Updated•7 months ago
|
Assignee | ||
Comment 1•6 months ago
|
||
ACCV has opened a case in CCADB for the modification of the email address associated with the problem report mechanism from accv@accv.es to problem_reporting@accv.es. The change is pending confirmation from the root store reviewer.
Assignee | ||
Comment 2•6 months ago
|
||
The reviewer has confirmed the mechanism for reporting problems in the CCADB. The new e-mail address is problem_reporting@accv.es
Action Items
Action Item | Kind | Status | Due Date |
---|---|---|---|
Create an e-mail address only for communications from the Problem Reporting Mechanism that will go directly to the people responsible for these issues (problem_reporting@accv.es). This mailbox is assigned to 6 recipients from the compliance, technical and crisis teams. ACCV ensures that there are always at least two users available. ACCV will open a case in the CCADB to request it. | Prevent | Done | 2024-03-25 |
Assignee | ||
Comment 3•6 months ago
|
||
No further action is pending. We are monitoring this bug for further comments or questions.
Assignee | ||
Comment 4•5 months ago
|
||
No further action is pending. We are monitoring the bug until it is closed.
Can you confirm the original report is not preliminary but final?
Assignee | ||
Comment 6•5 months ago
|
||
Yes, the report is final. When copying the template it was included as a preliminary report by mistake. Sorry for not noticing.
Comment 7•3 months ago
|
||
I will close this bug on or about Wed. 10-July-2024, unless there are additional items to discuss.
Updated•3 months ago
|
Description
•