Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: tmkuo, Assigned: tmkuo)
Details
(Whiteboard: [ca-compliance] [policy-failure])
Incident Report
Summary
During the email communication with the Browser contact, this problem was found and notify by the Browser contact.
Impact
A total of 1 certificate (good.epkiov.hinet.net) is affected.
Timeline
All times are UTC.
2024-06-12
- 00:22 Received the response email including the notification of expired.
- 17:43 Investigated and reviewed the cause.
2024-06-13
- 10:51 Submit the certificate request.
- 17:17 Complete the review and certificate issuance.
- 18:30 Complete certificate replacement.
Root Cause Analysis
The CA system sent an expiration notification letter, but the website administrator of ePKI ignored it.
Lessons Learned
- Even well-trained administrators can make low-level mistakes, we have warned the website administrator of ePKI should not ignore again, and calendar reminders is set to avoid the same mistake.
Where we got lucky
Action Items
Action Item | Kind | Due Date |
---|---|---|
Complete certificate replacement. | Detect | 2024-06-13 |
Conduct a discussion and review meeting, and calendar reminders is set to avoid the same mistake. | Prevent | 2024-06-20 |
Appendix
Details of affected certificate
Based on Incident Reporting Template v. 2.0
Comment 1•6 months ago
|
||
Does Chunghwa Telecom believe this incident report is complete? It is remarkably thin on details and I think compares very unfavourably to reports being submitted by your peers in the web PKI community.
In particular, the timeline seems to be missing key events like the initial issuance of the certificate, and the date the certificate expired. I also believe your action items fail to provide meaningful assurance that this event won't happen again.
Why isn't the deployment of certificate renewal automation being considered as an action item?
What about improvements to your own monitoring practices as an action item? Why was this not discovered by your own team?
Updated•6 months ago
|
Assignee | ||
Comment 2•5 months ago
|
||
(In reply to Daniel McCarney from comment #1)
Does Chunghwa Telecom believe this incident report is complete? It is remarkably thin on details and I think compares very unfavourably to reports being submitted by your peers in the web PKI community.
In particular, the timeline seems to be missing key events like the initial issuance of the certificate, and the date the certificate expired.
Let me restructure the timeline as follows:
Timeline
All times are UTC.
2022-09-08:
- 19:59 Initial issuance of the cert with domain name "good.epkiov.hinet.net" (https://crt.sh/?id=7499040300)
2023-09-08
- 19:59 The expiration of the cert.
2024-06-12:
- 00:22 Received the response email from the browser, including the notification of expired, where the cert expired 278 days ago.
- 17:43 Investigated and reviewed the cause.
2024-06-13
- 10:51 Submit the certificate request.
- 17:17 Complete the review and certificate issuance.
- 18:30 Complete certificate replacement.
I also believe your action items fail to provide meaningful assurance that this event won't happen again.
Why isn't the deployment of certificate renewal automation being considered as an action item?
What about improvements to your own monitoring practices as an action item? Why was this not discovered by your own team?
Thanks for your comment, we will discuss ways to automate certificate renewal and whether it can be achieved in a short time.
Assignee | ||
Comment 3•5 months ago
|
||
The feasibility of certificate renewal automation is confirmed which can be deployed in our new CA system. We are still evaluating the timeline of this feasibility.
Assignee | ||
Comment 4•4 months ago
|
||
We have deployed an automate certificate renewal mechanism in our test CA environment, and it is still under testing.
Assignee | ||
Comment 5•4 months ago
|
||
The testing of the automate certificate renewal mechanism in our test CA environment is finished, we will deploy it to our production environment next week.
Assignee | ||
Comment 6•2 months ago
|
||
Currently, ACME has been implemented in our CA production environment, and the certificate for test website-valid (with FQDN good.hipkig1ov.hinet.net) have been automatically applied and installed in a scheduled manner on 2024-09-19.
Description
•