e-commerce monitoring gmbh: failure to maintain links to historic CP/CPS versions
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: ca, Assigned: ca)
Details
(Whiteboard: [ca-compliance] [policy-failure])
Assignee | ||
Comment 1•2 months ago
|
||
Dear All,
As advised by Ben in https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c16, e-commerce monitoring gmbh is preparing an incident report for not properly providing links to historic policy documents.
Best regards,
Daniel
Incident Report
Summary
e-commerce monitoring GmbH (in the following referred to as ECM) has included broken links to historical CP/CPS versions directly in these documents. At the time this incident report is posted, the error has been rectified by linking historical versions on the website.
Impact
MRSP § 3.3 bullet 7 sentence 2 ("For CA certificates that were included in Mozilla's root store before December 31, 2022, the CA Operator shall maintain links in their online repositories to all reasonably available historic versions of CPs and CPSes (or CP/CPSes) from creation of the included CA certificates.") was not followed; Relying parties sought to review past versions for a specific purpose but were only able to do so to a limited extent or with additional effort.
Timeline
All times are UTC.
2019-12-13
- CP Version GCP V 2.0f (https://www.globaltrust.eu/static/globaltrust-certificate-policy.20191213.pdf) issued, this is the last version were all links to historic policy version are correct in chapter "SCHEDULE / VERZEICHNISSE Author(s) and validity / Autor(en) und Gültigkeitshistorie."
2020-04-03
- CP Version 2.0g (https://service.globaltrust.eu/static/globaltrust-certificate-policy.20200403.pdf) is issued with one broken link (the file name extension .pdf is missing a "." - it should be ...20191213.pdf rather than ...20191213pdf)
- CPS Version 2.0g (https://service.globaltrust.eu/static/globaltrust-certificate-policy.20200403.pdf) is issued with one broken link (the file name extension .pdf is missing a "." - it should be ...20191213.pdf rather than ...20191213pdf)
2021-01-15
- CP Version 2.0h https://service.globaltrust.eu/static/globaltrust-certificate-policy.20210115.pdf is issued. The broken link from 2020-04-03 is not corrected.
2021-01-15
- CPS Version 2.0h (https://service.globaltrust.eu/static/globaltrust-practice-statement.20210115.pdf) is issued. The broken link from 2020-04-03 is not corrected.
2021-04-29
- CP Version 2.0i (https://service.globaltrust.eu/static/globaltrust-certificate-policy.20210429.pdf) is issued. The broken link from 2020-04-03 is not corrected.
2022-01-14
- CPS Version 2.0i (https://service.globaltrust.eu/static/globaltrust-practice-statement.20220114.pdf) is issued. The broken link from 2020-04-03 is not corrected.
2022-04-28
- CP Version 3.0 (https://service.globaltrust.eu/static/globaltrust-certificate-policy.20220428.pdf) is issued. The broken link from 2020-04-03 is not corrected.
2023-01-13
- CPS Version 3.0 (https://service.globaltrust.eu/static/globaltrust-practice-statement.20230113.pdf) is issued. The broken link from 2020-04-03 is not corrected.
2023-04-27
- CP Version 3.1 (https://service.globaltrust.eu/static/globaltrust-certificate-policy.20230427.pdf) is issued. The broken link from 2020-04-03 is not corrected.
Another error is made in "SCHEDULE / VERZEICHNISSE Author(s) and validity / Autor(en) und Gültigkeitshistorie" in regards to the Version 3.0 28th April 2022 which links to http://www.globaltrust.eu/static/globaltrust-certificate-policy.pdf instead of http://www.globaltrust.eu/static/globaltrust-certificate-policy.20220428.pdf
2023-08-19
- CP Version 3.2 (https://service.globaltrust.eu/static/globaltrust-certificate-policy.20230819.pdf) The broken links from 2020-04-03 and 2023-04-27 are not corrected.
The same error is made in "SCHEDULE / VERZEICHNISSE Author(s) and validity / Autor(en) und Gültigkeitshistorie" in regards to the Version 3.1 27th April 2023 which links to http://www.globaltrust.eu/static/globaltrust-certificate-policy.pdf instead of http://www.globaltrust.eu/static/globaltrust-certificate-policy.20230427.pdf
2023-11-06
- CPS Version 3.0a (https://service.globaltrust.eu/static/globaltrust-practice-statement.20231106.pdf) is issued. The broken link from 2020-04-03 is not corrected.
2024-02-16
- CP Version 3.2a (current version, https://service.globaltrust.eu/static/globaltrust-certificate-policy.20240216.pdf)is issued. The broken links from 2020-04-03, 2023-04-27 and 2023-08-19 are not corrected.
The same error is made in "SCHEDULE / VERZEICHNISSE Author(s) and validity / Autor(en) und Gültigkeitshistorie" in regards to the Version 3.2 19th August 2023 which links to http://www.globaltrust.eu/static/globaltrust-certificate-policy.pdf instead of http://www.globaltrust.eu/static/globaltrust-certificate-policy.20230819.pdf
2024-02-16
- CPS Version 3.0b (current version, https://service.globaltrust.eu/static/globaltrust-practice-statement.20240216.pdf) is issued. The error from 2020-04-03 is not corrected but repeated in regards to Version 3.0a 6th November, 2023 (the file name extension .pdf is missing a "." - it should be ...20231106.pdf rather than ......20231106pdf)
2024-05-03
- 11:09 in Bug 1862004 Delayed revocation, the first comment because of generally missing links to earlier CP/CPS versions is made: https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c10
2024-05-08
- 16:38 in Bug 1893546 failure to follow incident report requirements, ECM provides a full incident report including a current list of historic policy documents: https://bugzilla.mozilla.org/show_bug.cgi?id=1893546#c4
2024-05-10
- 09:11 ECM decides internally to abandon the practice of listing historic policy URIs in the CP/CPS documents, but instead list them in the repository (English: https://globaltrust.eu/en/certificate-policy-2/, German: https://globaltrust.eu/certificate-policy/)
- 14:19 ECM makes a change request internally at the website staff.
2024-05-15
- 4:10 in Bug 1862004 Delayed revocation, Ben Wilson advises to prove an incident report for not maintaining proper working links to historic policy documents. (https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c16)
2024-05-17
- 13:35 in Bug 1862004 Delayed revocation, ECM provides list of historic CP/CPS links https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c21
- 13:42 This bug is opened
- 16:00 Website is updated, repositories contain historic policy URIs now.
Root Cause Analysis
To understand this incident, it is important to note that since 2006, ECM has been linking historical CP/CPS documents using the section "SCHEDULE / VERZEICHNISSE Author(s) and validity / Autor(en) und Gültigkeitshistorie." directly within the document, instead of providing a list on the website. This approach was chosen to ensure that the corresponding URLs had the same authenticity and integrity as the CP/CPS document itself. This method has been maintained over the years. When Mozilla's requirement came to link historical versions, this approach was deemed suitable.
However, this approach has some drawbacks in terms of flexibility. CP/CPS documents have various internal processes (such as multiple approval levels, release by management, etc.) and external processes (pre-notification to regulatory authorities, etc.) that make them somewhat rigid - which is good, but can pose challenges if errors occur, as they cannot be easily rectified with a few clicks, as would be the case with a website.
The root cause of this issue is considered to be human error. While multiple individuals are involved in revising the CP/CPS, and a redline version is created, the links that were subsequently destroyed were managed as field functions. When creating a redline, it is necessary to turn off the track changes mode once, in order to avoid overwhelming the document with numerous revised chapters, headings, references, etc. It would otherwise be too much information to review. The reason why these links were not noticed during the final editing phase - because they were not flagged as changes.
Lessons Learned
What went well
- All historical CP/CPS versions were accessible at any given time, even if accessing the link required some guesswork.
- The integrity and authenticity of the historical CP/CPS documents were consistently maintained.
- There is no ambiguity regarding which version is applicable for any given time period or product.
What didn't go well
- There was a relatively long period between handing over to the website team and the update of the website.
Where we got lucky
- ECM did not find any circumstance attributable to luck.
Action Items
Action Item | Kind | Due Date |
---|---|---|
Revise process | Prevent, Improve | completed 2024-05-10 |
----------- | ---- | -------- |
Provide functioning links on website | Resolve | completed 2024-05-17 |
----------- | ---- | -------- |
Updated CP/CPS version linking only to the website | Resolve, Prevent, Improve | CW 26 |
Appendix
As no specific certificates are affected, we will repurpose this section as a "Useful Links" section to assist the community in evaluating our policies and practices over the past years.
Repository
- German: https://globaltrust.eu/certificate-policy/
- English: https://globaltrust.eu/en/certificate-policy-2/
GLOBALTRUST Certificacte Policy
- https://service.globaltrust.eu/static/globaltrust-certificate-policy.pdf
- https://service.globaltrust.eu/static/globaltrust-certificate-policy.20230819.pdf
- https://service.globaltrust.eu/static/globaltrust-certificate-policy.20230427.pdf
- https://service.globaltrust.eu/static/globaltrust-certificate-policy.20220428.pdf
- https://service.globaltrust.eu/static/globaltrust-certificate-policy.20210429.pdf
- https://service.globaltrust.eu/static/globaltrust-certificate-policy.20210115.pdf
- https://service.globaltrust.eu/static/globaltrust-certificate-policy.20200403.pdf
GLOBALTRUST Certificate Practice Statement
- https://service.globaltrust.eu/static/globaltrust-practice-statement.pdf
- https://service.globaltrust.eu/static/globaltrust-practice-statement.20231106.pdf
- https://service.globaltrust.eu/static/globaltrust-practice-statement.20230113.pdf
- https://service.globaltrust.eu/static/globaltrust-practice-statement.20220114.pdf
- https://service.globaltrust.eu/static/globaltrust-practice-statement.20210115.pdf
- https://service.globaltrust.eu/static/globaltrust-practice-statement.20200403.pdf
Updated•1 month ago
|
Updated•1 month ago
|
Assignee | ||
Comment 3•21 days ago
|
||
As you might know, browsers have decided to remove e-commerce monitoring GmbH (ECM) with its Root Certificate "GLOBALTRUST 2020" from their Root Programs as of June 30, 2024. Certificates issued before this date will retain their full validity.
The reasons for the removal have been comprehensively discussed Bugzilla forum. We acknowledged and accepted the decision. We have identified the shortcomings in our processes, particularly related to reaction time. Consequently, we are taking these issues very seriously and are committed to address them. An action plan is being rolled out to restructure our Certificate Authority (CA) functions. Our goal is to be included again in the Root Programs.
ECM’s shareholder, AUSTRIA CARD, is committed to regains full compliance with the Browser/OS Root Store Policies. This commitment, which is strongly supported by our recently changed management, underscores our dedication to maintaining the widest compatibility and coverage.
As an immediate action, and until full remediation, ECM has ceased the issuance of TLS certificates according to the CA/Browser Forum Requirements. TLS certificates will be provided solely based on Regulation (EU) No 910/2014, Annex IV, as recently amended by Regulation (EU) 2024/1183 (“QWACs”). Certificates for interoperability testing purposes are excluded from this decision.
ECM, with its product lines GLOBALTRUST and TRUST2GO, is a Qualified Trust Service Provider (QTSP) according to EU eIDAS regulation and is under continuous supervision by the Austrian regulatory authority (RTR/TKK). Our activities are regularly evaluated by an accredited conformity assessment body based on numerous standards (e.g., eIDAS, ETSI), which include comprehensive logical, physical, and organizational security measures.
Our goal is to rebuild trust and demonstrate our commitment to upholding the highest standards in our industry.
For inquiries, please contact the Compliance & Product Management team, Attn: Mr. Daniel Zens, at ca@globaltrust.eu
Description
•