NETLOCK: CPS 1.5.2. problem and contact information update
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: nagy.nikolett, Assigned: nagy.nikolett)
Details
(Whiteboard: [ca-compliance] [policy-failure])
Incident Report
Summary
Wayne e-mailed us on June 28th 2024 19:45 UTC in accordance to multiple issues (NETLOCK CP/S, certification problems).
Wayne indicated that defining the contact person also raises questions. He cited the provisions found in section 1.5.2 of the then-effective CP/S. He further indicated that it does not clearly specify the identity of the contact person in certain cases.
Impact
The provider displayed the contact information in section 1.5.2 of the CP/S, but the following provision required by BRG 4.9.3 was missing: ’The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates. The CA SHALL publicly disclose the instructions through a readily accessible online means and in Section 1.5.2 of their CPS.’
The deficiency affected all CP/S-s of the provider.
Timeline
All times are UTC
| Action time | Action taken |
|---|---|
| 2024-06-28 19:45 | Wayne e-mailed to NETLOCK and didn’t get answer within 24 hours |
| 2024-07-03 14:59 | NETLOCK answered Wayne’s e-mail |
| 2024-07-09 15:00 | 1.5.2. section of the CP/S was modified and employees were trained |
Root Cause Analysis
The provider did not display the contact information required by BRG 4.9.3 in section 1.5.2 of the CP. Instead, only the contact information for questions and comments regarding the CP/S was provided. The missing contact information was due to the provider's previous interpretation that emails received at the address listed in the CP/S would result in immediate notification of the relevant unit by the provider’s staff for necessary actions to be taken immediately, but within 24 hours at the latest, as required by BRG 4.9.3. The investigation revealed that the necessary specific information was indeed not displayed by the provider and thus needs to be supplemented.
Lessons Learned
What went well
The provider displayed contact information in section 1.5.2 of the CP/S, continuously followed up on, and responded to the requests received there. When necessary, the issue was escalated to another unit.
What didn’t go well
The provider’s previous interpretation did not include the mandatory contact information specified in BRG 4.9.3, as it was thought that the provided contact information would suffice.
Where we got lucky
The issue did not involve any event where the provider failed to handle a request sent to the previous contact email within 24 hours and, for example, did not revoke a compromised certificate within 24 hours.
Action Items
On July 9th, 2024, the provider supplemented its CP/S and included the mandatory elements required by BRG 4.9.3. Concurrently, the provider trained the staff of the relevant units who need to take action as per section 1.5.2 of the CP/S.
|
||
Updated•1 year ago
|
|
|
||
Comment 1•1 year ago
|
||
Are there any new or discovered action items that have been performed or that need to still be completed? If not, please request that I close this bug with a "Need Info" / "Request information from triage owner".
Dear Ben,
We hereby request the closure, there have ben no additional items performed.
|
|
||
Comment 3•11 months ago
|
||
I will close this matter tomorrow, 6-Sept-2024, unless there are additional discussions that need to be had.
|
|
||
Updated•11 months ago
|
Description
•