1924492 - eMudhra emSign PKI Services: Failure To Update CA Owner Information In CCADB

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Naveen Kumar ML]

Incident Report

Summary

On 7th October 2024 it was identified that the contact information stored in the CCADB was not kept up to date, specifically the email address intended for Certificate Problem Reporting. While the correct contact information was reflected in our CP/CPS, the CCADB continued to reflect a general support email address. As a result, certificate revocation requests were directed to the general enquiry channel rather than the dedicated Certificate Problem Reporting channel.

Impact

The failure to update the CCADB resulted in a delay in handling a time-sensitive revocation request. However, no security incidents or misuse of certificates occurred during this delay. The issue primarily affected the efficiency of our internal processes rather than causing any direct harm to the integrity of the certificates.

Timeline

All times are IST.

2024-08-31 23:19: A researcher submitted a certificate revocation request, which was delayed as it was sent to the general enquiry email instead of the dedicated Certificate Problem Reporting contact.
2024-09-02 09:40: An internal incident was raised to investigate the delay in processing the revocation request. During the investigation, it was identified that the request had been sent to the general enquiry email address.
2024-09-03 20:54: An external incident was raised by eMudhra in Bugzilla (Incident Reference: [https://bugzilla.mozilla.org/show_bug.cgi?id=1916478]) to report the delay in revocation.
2024-10-06 11:02: In response to this, the researcher provided a comment in the Bugzilla incident stating that the contact information had been sourced from the CCADB, leading to the discovery that the CCADB still reflected the outdated general enquiry email address.
2024-10-08 17:10: Corrective action was initiated to update the CCADB with the correct Problem Reporting contact details.
2024-10-10 02:09: CCADB with the correct Problem Reporting contact details was updated.
2024-10-11: After updating the CCADB, a formal internal procedure was introduced following the PA Committee meeting. This procedure ensures that whenever changes are made to the CP/CPS, the CCADB entry is reviewed for consistency before the CP/CPS is published. This review includes a second-level verification by an independent reviewer to confirm accuracy. Additionally, quarterly compliance audits will now specifically include a review of both the CP/CPS and CCADB entries to ensure all information is accurate and aligned.

Root Cause Analysis

The root cause of the incident was an oversight during the update of the reporting contacts. While the CP/CPS was updated with the correct contact information, the corresponding CCADB records were not updated in parallel, leading to outdated information being available to the public.

Lessons Learned

This incident highlighted the importance of ensuring all publicly accessible information is kept in sync with internal updates, particularly when dealing with time-sensitive processes like certificate revocation. Following the discovery of this issue, we updated our internal procedures in [2024-10-11] to ensure that updates to critical contact information, such as those in our CP/CPS, are promptly reflected in public repositories like the CCADB.

Moving forward, every time a CP/CPS is updated, a second pair of eyes will review the CCADB information to ensure accuracy, and vice versa. Additionally, this check will be included as part of our compliance activities every quarter to ensure all information remains up to date and aligned across all platforms. This incident also underscores the importance of continuous monitoring and audit mechanisms to ensure that all publicly available information is accurate and current.

What went well

The internal team promptly identified and acted on the discrepancy after the researcher’s notification, which helped mitigate any potential impact. Corrective actions were swiftly implemented, and the CCADB was updated without causing significant disruptions. The issue was resolved before it could escalate, preventing any broader impact on revocation processes.

What didn't go well

The initial oversight in not updating the CCADB concurrently with the CP/CPS led to a discrepancy in publicly listed contact details. As a result, a time-sensitive revocation request was sent to the general enquiry email, potentially delaying action. The lack of synchronization between the two information sources exposed a gap in our update process.

Where we got lucky

Despite the outdated contact information, no major security or service disruption occurred. The researcher’s timely report helped us identify and correct the issue early. The required corrective actions were straightforward and quick to implement, preventing further issues.

Action Items

Action Item	Kind	Due Date
Update the correct problem reporting email id in line with the CCADB	Corrective	2024-10-10
Review and improve processes for CCADB updates	Prevent	2024-10-11
Conduct periodic review of CCADB data	Prevent	2024-12-15

Mitigation and Resolution

Upon identifying the discrepancy, immediate steps were taken to update the CCADB with the correct email address for Certificate Problem Reporting. Additionally, a process has been implemented to ensure that any future updates to the CP/CPS are reflected simultaneously in the CCADB, preventing any misalignment between the two information sources.

Next Steps:

1. Process Alignment: We will ensure that updates to the CP/CPS will trigger immediate reviews of related public repositories like CCADB to avoid any discrepancies.
2. Review and Audit: We are conducting a review of all publicly available records to ensure all contact details are consistent and up to date.
3. Training and Awareness: The team responsible for managing these updates will receive additional training to ensure that all changes are properly communicated across all platforms.

Based on Incident Reporting Template v. 2.0

Comment 1

[Naveen Kumar ML]

Unless there are further questions, we kindly request this Bugzilla to be closed.

Comment 2

[Ben Wilson]

Hi Naveen,
Before we can close this, we will need some type of summary that explains how all action items have been completed.
Here are some suggestions:

The short-summary should include:

• a description of the incident, its root cause(s), and remediation.
• a summary of all ongoing commitments made in response to the incident.
• an attestation that all Action Items have been completed.

Here is a template in markdown:

Incident Report Closure Summary

• Incident Description: [Two or three sentences summarizing the incident.]
• Incident Root Cause(s): [Two or three sentences summarizing the root cause(s).]
• Remediation Description: [Two or three sentences summarizing the incident's remediation.]
• Commitment Summary: [A few sentences summarizing ongoing commitments made in response to this incident.]

"All Action Items disclosed in this Incident Report have been completed as described, and we request its closure."

Thanks,
Ben

Comment 3

[Naveen Kumar ML]

Incident Description:
This incident involved a failure to update the CA owner information in the Common CA Database (CCADB) for the emSign PKI services. The outdated information led to discrepancies and raised compliance concerns regarding the CA’s data representation in public databases. As a result, revocation requests were directed to the general inquiry channel instead of the dedicated Certificate Problem Reporting channel.

Incident Root Cause(s):
The root cause of the incident was an oversight during the contact update process. While the Certification Practice Statement (CP/CPS) reflected the correct contact details, the corresponding CCADB records were not updated simultaneously. This resulted in outdated information being displayed in the CCADB. The issue arose due to procedural lapses and delays in the regular CCADB review process following updates to the CP/CPS.

Remediation Description:
The remediation actions included:

1. Updating the relevant details in the CCADB by creating a new case, with the data update completed on 10/09/2024.
2. Conducting an internal audit to identify and address other outdated entries across CA records.
3. Implementing standardized procedures for maintaining CCADB entries, ensuring alignment with organizational changes.
4. Reallocating resources to support consistent data accuracy.
   To prevent recurrence, regular monitoring and quarterly reviews have been established as part of the ongoing process.

Commitment Summary:
The following action items have been implemented and completed:

1. Data Verification Policy: A policy has been implemented for quarterly verification of CCADB entries to ensure alignment with any organizational or personnel changes.
2. Training & Awareness: Half-yearly training sessions have been conducted for team members managing CCADB entries, ensuring they understand update processes and data accuracy requirements.
3. Resource Allocation: A dedicated team has been assigned to manage CA information updates in the CCADB, preventing delays and ensuring accurate representation.
4. Internal Audit Follow-ups: Quarterly audits have been scheduled to identify and resolve any discrepancies in CA data.

All action items disclosed in this Incident Report have been completed as described, and we request its closure.

Comment 4

[Ben Wilson]

I will close this on Friday, 14-Feb-2025, unless there are issues or questions to discuss.