Closed Bug 1890901 Opened 1 year ago Closed 1 year ago

Entrust: Delayed incident report - CPS typographical (text placement) error

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bruce.morton, Assigned: bruce.morton)

Details

(Whiteboard: [ca-compliance] [policy-failure])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Incident Report

Summary

The incident in bug https://bugzilla.mozilla.org/show_bug.cgi?id=1890896, was identified and remediated on March 26, but the incident report was published 15 days later. With this incident report we want to provide full transparency on this delayed publication.

Impact

This incident involves 6,008 OV TLS certificates that were issued between March 22, 2024, 15:02 UTC and March 26, 2024, 17:07 UTC. The certificates have a mode validity of 392 days.

Timeline

2024-03-26:

  • 15:28 We self-discovered that there was a typographical error included in the CPS. The CPS was updated to correct the error.
  • 17:07 CPS version 3.20 was posted.

2024-04-11:

Root Cause Analysis

1. Why was there a problem?

A change which was supposed to be made to the “EV SSL certificate” profile was incorrectly added to the “SSL certificate” (OV) profile, see bug #1890896.
As these certificates are considered mis-issued they require revocation and preliminary incident report according to the following CCADB policy:

“An initial report should be filed within 72 hours of the CA Owner being made aware of the incident. If a full incident report is not yet ready, CA Owners should provide a preliminary report containing an executive summary of the incident and a date by which the full report will be posted. The full incident report must be posted within two weeks of the incident.”

2. Why was the report delayed?

Amid concurrent incidents, drafting and publication of the incident report done within the recommended timeframe.

3. Why did the concurrent incidents delay the drafting and publication?

Team members who manage incidents and draft reports have also been involved in mitigating, explaining, and supporting communication concurrent incidents.

4. Why was the team not able to deal with this load?

The load was greater than capacity due to the large number of subscribers affected. Also the incident process depends on specific knowledge of compliance team members.

5. Why was this an issue?

The compliance team was also involved in the annual WebTrust compliance audit and concurrent incidents.

Lessons Learned

What went well

  • The CPS typographic error was detected and resolved within 4 days.

What didn't go well

  • Priorities of other incidents delayed the management of this incident.

Where we got lucky

  • The underlying incident did not impact subscriber security or the web ecosystem.

Action Items

See bug #1890896

Appendix

Details of affected certificates

See bug #1890896

Assignee: nobody → bruce.morton
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [policy-failure]

We have no updates for this week and will continue to monitor the bug.

There are no updates for this week and we will continue to monitor the bug.

I intend to close this bug on Friday, 3-May-2024.

Flags: needinfo?(bwilson)

I intend to close this bug on Friday, 3-May-2024.

The action items for this bug is linked to another bug, which are not yet remediated.

We will respond concerning Entrust's issues, incidents, responses and remediation efforts in due course.

We will respond concerning Entrust's issues, incidents, responses and remediation efforts in due course.

I think it does not make sense to close these incidents while Entrust is actively breaking the rules of the Mozilla Root Program & BRs. I would highly prefer the response start before these bugs are closed. This comment applies to all the bugs that have been marked for being closed:

There are no updates for this week and we will continue to monitor the bug.

I am closing this, but it will still appear on the list of Entrust compliance issues being drafted.

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.