Open Bug 1921596 Opened 14 hours ago

KIR: Failure to disclose intermediate certificate within 7 days in ccadb

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: piotr.grabowski, Unassigned)

Details

Incident Report

Summary
An incident occurred where 2 issued intermediate certificates were incorrectly disclosed in ccadb via case instead of dedicated link in ccadb.
We were first notified by a email message from Rob Stradling posted to kontakt at kir.pl. At moment all affected certificates are correctly disclosed in ccadb

Impact
2 Intermediate CA certificates issued on Sep 16, 2024 – 10:05 UTC and Sep 16, 2024 – 10:16 UTC
https://crt.sh/?caid=369967
http://cdp.elektronicznypodpis.pl/0AB915C94EAD61F41BB811EDCA6365ACE59577FD.crt (at the momenet the certificate is now visible in crt.sh)

Timeline
Sep 25, 2024 – 11:33 UTC – Rob Stradling posts an email message to kontakt at kir.pl.
Sep 26, 2024 – 09:52 UTC – The message is sent from first line of technical support at KIR to WebPKI team. We begin a preliminary investigation.
Sep 26, 2024 – 11:11 UTC – Piotr Grabowski from KIR WebPKI team responds to Rob’s message that intermediate certificate was disclosed in ccadb via case within 7 days .
Sep 26, 2024 – 12:44 UTC – Rob Stradling posts an email message to Piotr Grabowski from KIR WebPKI team referencing the correct disclosure procedure.
Sep 27, 2024 – 06:20 UTC – Oprational procedure for disclosure to CCADB was updated to include detailed steps for disclosure to CCADB.
Sep 27, 2024 – 07:30 UTC – KIR WebPKI disclosed intermediate certificate in ccadb according correct disclosure procedure https://www.ccadb.org/cas/intermediates#adding-intermediate-certificate-data.

Root Cause Analysis

Our operational procedure for disclosure to CCADB was too general and was not referencing the correct disclosure procedure directly https://www.ccadb.org/cas/intermediates#adding-intermediate-certificate-data that is why WebPKI team operator chose the wrong way to disclose the certicates in ccadb via case.
We already modified our operational procedure to include detailed steps for disclosure to CCADB

Lessons Learned

What went well

Both afftected certicates were disclosed in time, within 7 days in ccadb (2 days after afftected certicates were generated). We attempted to comply with the 7-day disclosure requirement for new intermediate certificates.

What didn't go well

Both afftected certicates were disclosed incorrectly via case instead of dedicated link in ccadb.

Where we got lucky

Action Items

Action Item Kind Due Date
Oprational procedure for disclosure to CCADB was updated Prevent Sep 27, 2024 (completed)
Update training for WebPKI team to use updated Oprational procedure for disclosure Prevent Sep 27, 2024 (completed)

Based on Incident Reporting Template v. 2.0

You need to log in before you can comment on or make changes to this bug.