Closed Bug 1888881 Opened 1 year ago Closed 9 months ago

CFCA: Failure to respond to a CPR in a complete and/or timely manner

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gaofei, Assigned: gaofei)

Details

(Whiteboard: [ca-compliance] [policy-failure])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Steps to reproduce:

On 2024-03-04, Ryan sent an email to CFCA (rc@cfca.com.cn) for the first time, reminding CFCA to confirm whether there was a basicConstraints extension error in the certificate. CFCA failed to check the email and respond in time.
A new incident report is expected to be available on April 6th.

Assignee: nobody → gaofei
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Summary: CFCA:Failure to respond to a Certificate Problem Report in a complete and/or timely manner → CFCA: Failure to respond to a Certificate Problem Report in a complete and/or timely manner
Whiteboard: [ca-compliance] [policy-failure]

Summary

2024-03-04,Ryan sent an email to CFCA (rc@cfca.com.cn,The contact email registered in the Problem Reporting Mechanism item in CCADB).However, CFCA failed to respond to the email in time.

Impact

Scope of impact: For some emails, the recipients are only rc@cfca.com.cn, excluding gaofei@cfca.com.cn, qiudawei@cfca.com.cn(CCADB Contacts).
After receiving the email sent again by Ryan on 2024-03-18, we have communicated with the administrator of rc@cfca.com.cn. All emails related to CAB will be forwarded to gaofei@cfca.com.cn and qiudawei@cfca.com.cn.
Currently,any email sent to rc@cfca.com.cn or gaofei@cfca.com.cn or qiudawei@cfca.com.cn will be checked and replied to in a timely manner at.
We have applied for a new email address to replace rc@cfca.com.cn, and this email address will be checked and processed regularly by dedicated personnel.

Timeline

All times are UTC+8.

2024-03-04 08:00 Ryan sent an email to CFCA (rc@cfca.com.cn) for the first time, reminding CFCA to confirm whether there is a basicConstraints extension error in the certificate. CFCA failed to check the email in time. We have created a new Bugzilla Event: https://bugzilla.mozilla.org/show_bug.cgi?id=1888881
2024-03-18 20:59 Ryan sent an email to CFCA (gaofei@cfca.com.cn, qiudawei@cfca.com.cn) again.
2024-03-19 16:30 CFCA received Ryan’s second email and responded.
2024-03-20 10:00 Communicate with the administrator at rc@cfca.com.cn to ensure that emails can be checked and responded to in a timely manner.

Root Cause Analysis

The administrator of rc@cfca.com.cn has changed, and we have not been able to update the information in CCADB in a timely manner.

Lessons Learned

What went well

n/a

What didn't go well

n/a

Where we got lucky

Previous notification emails were usually sent to gaofei@cfca.com.cn, qiudawei@cfca.com.cn and rc@cfca.com.cn at the same time, so we were lucky enough to receive the email notification.

Action Items

Action Item Kind Due Date
Update the contact email registered in the Problem Reporting Mechanism item in CCADB. And arrange for a dedicated person to check the reply regularly Prevent 2024-4-20

Do we have an update on this?

Flags: needinfo?(gaofei)

(In reply to Wayne from comment #2)

Do we have an update on this?

  1. We have added a new email address docsign@cfca.com.cn to CCADB.
  2. Both docsign@cfca.com.cn and rc@cfca.com.cn have personnel who check them regularly
    No other updates yet.
Flags: needinfo?(gaofei)

Please note that weekly updates are expected.

There are currently no new information updates.

Summary: CFCA: Failure to respond to a Certificate Problem Report in a complete and/or timely manner → CFCA: Failure to respond to a CPR in a complete and/or timely manner

Can you please provide updates and reports of success, if any? Otherwise, please request that this bug be closed.

Flags: needinfo?(gaofei)

CFCA has completed the improvement measures. There is no new discussion at present. We apply to close the incident.

Flags: needinfo?(gaofei)

Please complete a Closure Summary.
Thanks!

A Closure Summary should briefly:

  • describe the incident, its root cause(s), and remediation;
  • summarize any ongoing commitments made in response to the incident; and
  • attest that all Action Items have been completed.

Here is a markdown template if needed:

Incident Report Closure Summary

  • Incident Description: [Two or three sentences summarizing the incident.]
  • Incident Root Cause(s): [Two or three sentences summarizing the root cause(s).]
  • Remediation Description: [Two or three sentences summarizing the incident's remediation.]
  • Commitment Summary: [A few sentences summarizing ongoing commitments made in response to this incident.]

"All Action Items disclosed in this Incident Report have been completed as described, and we request its closure."

Flags: needinfo?(gaofei)

Received, we will provide a closure summary as soon as possible.

Flags: needinfo?(gaofei)

We will add some recent updates/discussions before providing a closing summary.

Please provide a status update.

Flags: needinfo?(gaofei)

We canceled the additional update/discussion and will provide a closure summary this week.

Flags: needinfo?(gaofei)

Isn’t failure to provide regular (weekly?) status updates an incident in itself requiring the filing of a separate incident report?

(In reply to S. Poppett from comment #13)

Isn’t failure to provide regular (weekly?) status updates an incident in itself requiring the filing of a separate incident report?

ok, we'll file a seperate incident report regarding to the failure to provide weekly status updates.

(In reply to S. Poppett from comment #13)

Isn’t failure to provide regular (weekly?) status updates an incident in itself requiring the filing of a separate incident report?

Hi S. Poppett,
We filed a seperate incident report here 1955799.

Report Closure Summary

  • Incident description: In March 2024, a third-party report notified CFCA to the contact email registered under the problem reporting mechanism in CCADB to confirm whether there was a basicConstraints extension error in the certificate, but CFCA failed to respond in time.
  • Incident Root Cause(s): CFCA had defects in CPR information maintenance and CPR email information checking, resulting in failure to update CPR information and respond in time.
  • Remediation description:
  1. Adjust the team leader. Michael (songxinlei@gmail.com) has been approved as the new team leader to replace Gao Fei & Qiu Dawei.
  2. Add 5 people to the team. Michael has assigned tasks to team members, conduct CPR information verification once a month, and check and respond to CPR email information once a day.
  3. Update the Primary POC information in CCADB to songxinlei.
  • Commitment summary: CFCA promised that the new team will implement the requirements in the remedial measures to ensure timely CPR problem checking and response. At the same time, internal supervision will add CCADB maintenance and CPR response inspection items.

All Action Items disclosed in this report have been completed as described, and we request its closure.

Hi, since there're no further comments and the report closure summary was provided above, we request it's closure.

I'll close this on or about Wed. 2-Apr-2025, unless there are additional items or questions to discuss.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.