Open Bug 1897457 Opened 2 months ago Updated 21 days ago

e-commerce monitoring gmbh: failure to maintain links to historic CP/CPS versions

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: ca, Assigned: ca)

Details

(Whiteboard: [ca-compliance] [policy-failure])

No description provided.

Dear All,

As advised by Ben in https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c16, e-commerce monitoring gmbh is preparing an incident report for not properly providing links to historic policy documents.

Best regards,
Daniel

Flags: needinfo?(min.zhang)

Incident Report

Summary

e-commerce monitoring GmbH (in the following referred to as ECM) has included broken links to historical CP/CPS versions directly in these documents. At the time this incident report is posted, the error has been rectified by linking historical versions on the website.

Impact

MRSP § 3.3 bullet 7 sentence 2 ("For CA certificates that were included in Mozilla's root store before December 31, 2022, the CA Operator shall maintain links in their online repositories to all reasonably available historic versions of CPs and CPSes (or CP/CPSes) from creation of the included CA certificates.") was not followed; Relying parties sought to review past versions for a specific purpose but were only able to do so to a limited extent or with additional effort.

Timeline

All times are UTC.

2019-12-13

2020-04-03

2021-01-15

2021-01-15

2021-04-29

2022-01-14

2022-04-28

2023-01-13

2023-04-27

2023-08-19

2023-11-06

2024-02-16

2024-02-16

2024-05-03

2024-05-08

2024-05-10

2024-05-15

2024-05-17

Root Cause Analysis

To understand this incident, it is important to note that since 2006, ECM has been linking historical CP/CPS documents using the section "SCHEDULE / VERZEICHNISSE Author(s) and validity / Autor(en) und Gültigkeitshistorie." directly within the document, instead of providing a list on the website. This approach was chosen to ensure that the corresponding URLs had the same authenticity and integrity as the CP/CPS document itself. This method has been maintained over the years. When Mozilla's requirement came to link historical versions, this approach was deemed suitable.

However, this approach has some drawbacks in terms of flexibility. CP/CPS documents have various internal processes (such as multiple approval levels, release by management, etc.) and external processes (pre-notification to regulatory authorities, etc.) that make them somewhat rigid - which is good, but can pose challenges if errors occur, as they cannot be easily rectified with a few clicks, as would be the case with a website.

The root cause of this issue is considered to be human error. While multiple individuals are involved in revising the CP/CPS, and a redline version is created, the links that were subsequently destroyed were managed as field functions. When creating a redline, it is necessary to turn off the track changes mode once, in order to avoid overwhelming the document with numerous revised chapters, headings, references, etc. It would otherwise be too much information to review. The reason why these links were not noticed during the final editing phase - because they were not flagged as changes.

Lessons Learned

What went well

  • All historical CP/CPS versions were accessible at any given time, even if accessing the link required some guesswork.
  • The integrity and authenticity of the historical CP/CPS documents were consistently maintained.
  • There is no ambiguity regarding which version is applicable for any given time period or product.

What didn't go well

  • There was a relatively long period between handing over to the website team and the update of the website.

Where we got lucky

  • ECM did not find any circumstance attributable to luck.

Action Items

Action Item Kind Due Date
Revise process Prevent, Improve completed 2024-05-10
----------- ---- --------
Provide functioning links on website Resolve completed 2024-05-17
----------- ---- --------
Updated CP/CPS version linking only to the website Resolve, Prevent, Improve CW 26

Appendix

As no specific certificates are affected, we will repurpose this section as a "Useful Links" section to assist the community in evaluating our policies and practices over the past years.

Repository

GLOBALTRUST Certificacte Policy

GLOBALTRUST Certificate Practice Statement

Flags: needinfo?(min.zhang)
Assignee: nobody → nobody
Component: Documentation → CA Certificate Compliance
Product: NSS → CA Program
Assignee: nobody → ca
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [policy-failure]

As you might know, browsers have decided to remove e-commerce monitoring GmbH (ECM) with its Root Certificate "GLOBALTRUST 2020" from their Root Programs as of June 30, 2024. Certificates issued before this date will retain their full validity.

The reasons for the removal have been comprehensively discussed Bugzilla forum. We acknowledged and accepted the decision. We have identified the shortcomings in our processes, particularly related to reaction time. Consequently, we are taking these issues very seriously and are committed to address them. An action plan is being rolled out to restructure our Certificate Authority (CA) functions. Our goal is to be included again in the Root Programs.

ECM’s shareholder, AUSTRIA CARD, is committed to regains full compliance with the Browser/OS Root Store Policies. This commitment, which is strongly supported by our recently changed management, underscores our dedication to maintaining the widest compatibility and coverage.
As an immediate action, and until full remediation, ECM has ceased the issuance of TLS certificates according to the CA/Browser Forum Requirements. TLS certificates will be provided solely based on Regulation (EU) No 910/2014, Annex IV, as recently amended by Regulation (EU) 2024/1183 (“QWACs”). Certificates for interoperability testing purposes are excluded from this decision.

ECM, with its product lines GLOBALTRUST and TRUST2GO, is a Qualified Trust Service Provider (QTSP) according to EU eIDAS regulation and is under continuous supervision by the Austrian regulatory authority (RTR/TKK). Our activities are regularly evaluated by an accredited conformity assessment body based on numerous standards (e.g., eIDAS, ETSI), which include comprehensive logical, physical, and organizational security measures.

Our goal is to rebuild trust and demonstrate our commitment to upholding the highest standards in our industry.

For inquiries, please contact the Compliance & Product Management team, Attn: Mr. Daniel Zens, at ca@globaltrust.eu

You need to log in before you can comment on or make changes to this bug.