Entrust: Delayed incident report - CPS typographical (text placement) error
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: bruce.morton, Assigned: bruce.morton)
Details
(Whiteboard: [ca-compliance] [policy-failure])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Assignee | ||
Comment 1•19 days ago
|
||
Incident Report
Summary
The incident in bug https://bugzilla.mozilla.org/show_bug.cgi?id=1890896, was identified and remediated on March 26, but the incident report was published 15 days later. With this incident report we want to provide full transparency on this delayed publication.
Impact
This incident involves 6,008 OV TLS certificates that were issued between March 22, 2024, 15:02 UTC and March 26, 2024, 17:07 UTC. The certificates have a mode validity of 392 days.
Timeline
2024-03-26:
- 15:28 We self-discovered that there was a typographical error included in the CPS. The CPS was updated to correct the error.
- 17:07 CPS version 3.20 was posted.
2024-04-11:
- 00:45: We posted the incident report in bug #1890896.
Root Cause Analysis
1. Why was there a problem?
A change which was supposed to be made to the “EV SSL certificate” profile was incorrectly added to the “SSL certificate” (OV) profile, see bug #1890896.
As these certificates are considered mis-issued they require revocation and preliminary incident report according to the following CCADB policy:
“An initial report should be filed within 72 hours of the CA Owner being made aware of the incident. If a full incident report is not yet ready, CA Owners should provide a preliminary report containing an executive summary of the incident and a date by which the full report will be posted. The full incident report must be posted within two weeks of the incident.”
2. Why was the report delayed?
Amid concurrent incidents, drafting and publication of the incident report done within the recommended timeframe.
3. Why did the concurrent incidents delay the drafting and publication?
Team members who manage incidents and draft reports have also been involved in mitigating, explaining, and supporting communication concurrent incidents.
4. Why was the team not able to deal with this load?
The load was greater than capacity due to the large number of subscribers affected. Also the incident process depends on specific knowledge of compliance team members.
5. Why was this an issue?
The compliance team was also involved in the annual WebTrust compliance audit and concurrent incidents.
Lessons Learned
What went well
- The CPS typographic error was detected and resolved within 4 days.
What didn't go well
- Priorities of other incidents delayed the management of this incident.
Where we got lucky
- The underlying incident did not impact subscriber security or the web ecosystem.
Action Items
See bug #1890896
Appendix
Details of affected certificates
See bug #1890896
Updated•19 days ago
|
Assignee | ||
Comment 2•13 days ago
|
||
We have no updates for this week and will continue to monitor the bug.
Assignee | ||
Comment 3•6 days ago
|
||
There are no updates for this week and we will continue to monitor the bug.
Description
•