Closed
Bug 1946418
Opened 1 year ago
Closed 11 months ago
Chunghwa Telecom: Delayed to Submit Annual CCADB Self-Assessment 2024 by GTLSCA.
Categories
(CA Program :: CA Certificate Compliance, task)
CA Program
CA Certificate Compliance
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: leox, Assigned: leox)
Details
(Whiteboard: [ca-compliance] [policy-failure] [disclosure-failure])
Attachments
(1 file)
|
214.69 KB,
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
|
Details |
Incident Report
Summary
GTLSCA submited the 2024 CCADB annual self-assessment to the Root CA Team and uploaded it to CCADB for review, but with a 21-day delay.
Impact
Does not comply with Chrome Root Program Policy Section 6
Root Cause
In 2024, since Self-Assessment v1.4.2 had about 300 confirmation items and we were not familiar with the relevant regulations of CCADB Policy, in order to fill in the content accurately, we carefully confirmed each item. From October 2024, it took about 3 months to confirm each item one by one. However, from the end of December 2024 to January 2025, the person responsible for writing the CCADB Policy Assessment form happened to be busy with the analysis and development of the short-term certificate system, so it was delayed until January 20, 2025 to register the Root CA Team in the CCADB table.
TimeLine
All times are UTC+8.
2024-03-26
- The Root CA Team reminded the new GTLSCA PM that the personnel who left the unit at the end of last year failed to submit the CCADB Self-Assessment form.
2024-10-01
- Begin filling out the 2024 GTLSCA CCADB Self-Assessment.
2025-01-19
- The Root CA Team once again reminded GTLSCA to submit the CCADB Self-Assessment as soon as possible.
2025-01-20
- The GTLSCA team submitted the CCADB Self-Assessment 2024 to the Root CA Team.
2025-02-04
- The Root CA Team notified the GTLSCA team to submit an Incident Report explaining the reason.
2025-02-06
- Issue an Incident Report was on Bugzilla to explain the 21-day delay to submit the 2024 annual self-assessment form.
Lesson Learns
What went well
- N/A
What didn't go well
- The handover of tasks was insufficient, lacking proper scheduling and review of the annual plan, resulting in the omission of work items.
Where we got lucky
- The experienced Root CA Team consistently reminded us of the timeline, urging us to submit the report on time.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Self-assessment 2024 was Submitted | - | 2025-01-20 |
| Establish the annual plan | Prevention | 2025-02-12 |
| At least two people will be assigned to check the Root Programs | Prevention | 2025-02-25 |
Appendix
- Self-assessment 2024
|
||
Updated•1 year ago
|
Assignee: nobody → leox
Status: UNCONFIRMED → ASSIGNED
Component: CA Documents → CA Certificate Compliance
Ever confirmed: true
Whiteboard: [ca-compliance] [policy-failure] [disclosure-failure]
|
||
Comment 5•11 months ago
|
||
Report Closure Summary
- Incident description: GTLSCA delayed the submission of the 2024 CCADB self-assessment report, resulting in non-compliance with the requirements of Section 6 of the Chrome Root Certificate Program policy and the Mozilla Root Store policy. We have confirmed that GTLSCA was 21 days late in submitting the report. Although this incident did not have an immediate impact on the certificate validation process, it reflects deficiencies in GTLSCA's internal process management, affecting its compliance performance in terms of public trust.
- Incident Root Cause(s): Due to personnel changes, the GTLSCA team was not sufficiently familiar with approximately 300 items on the self-assessment form v1.4.2. To ensure accurate completion of the content, they began verifying each item one by one starting in October 2024 after receiving a reminder, which took about three months. However, from the end of 2024 to January 2025, the responsible personnel were temporarily assigned other tasks, leading to a delay in progress. Ultimately, the assessment report submission was delayed by a total of 21 days, highlighting deficiencies in GTLSCA's compliance management and workflow oversight.
- Remediation description: GTLSCA has submitted the 2024 CCADB self-assessment report and uploaded the report as attached for review by relevant authorities. Additionally, GTLSCA has strengthened our internal work allocation and process monitoring mechanisms to ensure that all compliance reports are completed and submitted on time in the future. Specific measures include redefining the roles of responsible personnel, establishing a review mechanism, and implementing agile tracking to ensure smooth compliance operations. These steps are intended to prevent similar errors from occurring in the future and to enhance the compliance of CA operations.
- Commitment summary: GTLSCA commits to further strengthening internal management to ensure that all future compliance reports are submitted on time and meet the required regulations and policies. We will regularly review internal workflows to ensure that all critical tasks have clear responsible parties and backup plans in place, preventing compliance issues due to personnel changes. We will continue to monitor and optimize CA’s operational processes to ensure that we can earn trust again from the public in the future.
All Action Items disclosed in this report have been completed as described, and we request its closure.
|
|
||
Comment 6•11 months ago
|
||
I will leave this bug open for a couple of days to see if there are any more comments. If not, then I will take a look at closing this on Wed. 12-Mar-2025.
Flags: needinfo?(bwilson)
|
|
||
Updated•11 months ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•