Closed Bug 1918467 Opened 2 months ago Closed 1 month ago

QuoVadis: Findings in 2024 ETSI Audit of QuoVadis Qualified Web ICA G2

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: stephen.davidson, Assigned: stephen.davidson)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Attachments

(1 file)

2024 AAL for QuoVadis Qualified Web ICA G2
266.61 KB, application/pdf
Details

Preliminary Incident Report

Summary

This is a preliminary incident report and we will post updates as required, noting that the findings being reported here were confirmed as resolved in the course of the audit.

The following bug report lists the non-conformities that are required to be disclosed in compliance with the Chrome root program requirements.
It describes minor non-conformities that were observed in the course of an audit performed by BSI Group The Netherlands B.V. using ETSI standards. The scope of the audit is a QuoVadis legacy platform that is in the process of being replaced with an upgraded EU CertCentral platform. The attestation letter addresses:

  • CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM (SHA-256 8FE4FB0AF93A4D0D67DB0BEBB23E37C71BF325DCBCDD240EA04DAF58B47E1840)
  • CN=QuoVadis Qualified Web ICA G2,O=QuoVadis Trustlink B.V.,C=NL (SHA-256 7FEB9374EAB08D392717C647436DAE06176A24C010607FDA1CCE5E5F0106B472)

The resolution of these non-conformities were observed and the finding reports were closed during an audit walkthrough carried out on August 19, 2024. No findings remain open at the time of the audit letter.

Impact

The three findings are related to processes and documentation.

No certificates were misissued.

Timeline

The attestation letter is attached, dated Sept 04, 2024.

Root Cause Analysis

Finding #1

Insufficient evidence of periodic review of firewall rules. [ETSI EN 319401, REQ-7.8-06]

At the time of the audit, perpetual firewall rule reviews were being performed during rule changes, in addition to semi-annual reviews of rule samples that focused upon rules that had no hits. However, there was insufficient documentation evidencing the outcome of these perpetual and semi-annual reviews. Available documentation only contained the firewall rule exceptions and not the satisfactory rules found during these reviews. The team has since moved from a perpetual review to an annual review of the entire firewall rule base, and evidencing both satisfactory rules and those that require further review.

Action Items
Action Item Kind Due Date
Update the firewall review procedures and optimize the review process. Mitigate 15 August 2024
Transition from a periodic firewall review targeting a sample to an annual firewall review on the entire rule base for EU firewalls. Mitigate 15 August 2024
Perform the firewall review and ensure that the review is sufficiently evidenced. Mitigate 15 August 2024

Status of actions: Done.
Status of finding: Closed.

Finding #2

External Monitoring of the QuoVadis CRL and OCSP status was not publicly available on status.digicert.com [ETSI EN 319411-1, CSS-6.3.10-10, CSS-6.3.10-02]

At the time of the audit monitoring and alerts for OCSP/CRL were in place internally but monitoring information was not placed in an external location that could be easily accessed by the public. This is an ETSI requirement; an equivalent does not exist in CABF or root program requirements.

Action Items
Action Item Kind Due Date
Monitoring of OCSP/CRL will be placed in an easily accessible location available to the public. Mitigate 15 August 2024

Status of actions: Done.
Status of finding: Closed.

Finding #3

Removal of Physical Access after termination not fully effective [ETSI EN 319401, REQ-7.6-02]

The Human Resources termination process was not fully effective in identifying two departing employees who had third party datacenter access. Other physical access for these employees was revoked with the exception of one data center located in a country other than that of the employees’ primary office/residence. It was confirmed that the employees did not, in fact, access the data center after the date of termination.

Action Items
Action Item Kind Due Date
The termination process will be updated to automatically generate a sub-task for all terminating employees that includes checking whether the employee had access to a data center, and terminating access on a timely basis. Prevent 5 August 2024

Status of actions: Done.
Status of finding: Closed.

Lessons Learned

What went well

  • All items were resolved quickly and to the satisfaction of the auditors once identified.

What didn't go well

  • (Finding #1) While firewall reviews were adequate, there was insufficient documentation to prove the performance of the reviews.
  • (Finding #3) Human Resources procedures for access termination focused upon inhouse resources and facilities, and overlooked “occasional” third party facility access in another country.

Where we got lucky

  • (Finding #3) The individuals in question did not use the access they weren’t supposed to have.
Assignee: nobody → stephen.davidson
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

As noted, all items were resolved in the course of the audit.
Any questions?

As noted, we resolved the items in the course of the audit.
Unless there are questions, we request that this bug be closed.

I will schedule to close this on or about this Friday, 4-Oct-2024.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: