Closed Bug 1963546 Opened 22 days ago Closed 3 days ago

certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gabriel.petcu, Assigned: gabriel.petcu)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Steps to reproduce:

certSIGN had the yearly audit for 2025 and received the Audit Attestation letters.

Actual results:

Findings reported in:
LSTI Standard Audit Attestation (CAB-Forum_AAL_Standard_Audit_1612-377-v2) from 28-04-2025
LSTI TLS BR Audit Attestation (CAB-Forum_AAL_TLS-BR_Audit_1612-377-v2) from 28-04-2025
LSTI TLS EV Audit Attestation (CAB-Forum_AAL_TLS-EV_Audit_1612-377-v2) from 28-04-2025.
All the findings were considered by the auditors as minor non-conformities.

Expected results:

Finding #1

On CPS "certSIGN Web CA for QWAC & EV Certificates" the association of each policy identifier with each specific OID was not explicit (ETSI EN 319 411-1 OVR-7.1-02)

Root Cause Analysis

The policy identifiers were specified only as numbers in the CPS tables for each certSIGN OID:
as ‘Policy Identifier=0.4.0.2042.1.4’ for Extended Validation end-user certificates and
as ‘Policy Identifier=0.4.0.2042.1.4’ plus ‘Policy Identifier=0.4.0.194112.1.4’ for QWAC end-user certificates and the auditors insisted to add also the associated acronyms ‘EVCP’, respective ‘QEVCP-w’ – for clarity.

Action Item Kind Due Date
Correct the CPS Correct 2025-03-21
Quarterly review Prevent permanent/quarterly

Update the CPS on the #1.3.1 Certification Authorities, to include also the acronyms of the policies: EVCP and QEVCP-w

Finding #2

On a set of OID (certificate profiles not yet delivered to customers), the certificates are issued for testing purposes in a manner that does not follow the normal registration process, and no reasonable assurance that these certificates cannot be used outside of the testing scope is currently given. (ETSI EN 319 411-1 OVR-6.9.2-01C)

Root Cause Analysis

certSIGN did not used test certificates on Production. Only on Demo/Test platforms.

Action Item Kind Due Date
Update the CPS Correct 2025-05-30
Update Test procedures Correct 2025-05-30
Quarterly review Prevent permanent/quarterly

This is not applicable to TLS certificates where we already have the test certificates on site. Update the Public and Qualified CPS-es on the #4.3 Certificate Issuance, to include test certificates for Production environment. Update the testing procedures to include the testing conditions and limitations for the Production testing.

Finding #3

OID 1.3.6.1.4.1.25017.3.1.4.6 is not listed in OIDs list from certSIGN Web CA - Terms and conditions (ETSI EN 319 411-1 DIS-6.1-05 )

Root Cause Analysis

Delayed publication of the updated version of the Terms and Conditions after the CPS update.

Action Item Kind Due Date
Update the T&C Correct 2025-02-21
Sync CPS & T&C updates Prevent permanent/quarterly

Finding #4

The test certificate from 2023 : "testssl-expired-evcp.certsign.ro.crt" does not respect the relative order of the Subject attributes as required in BR #7.1.4.2 (CA/Browser Forum v2.1.2 #7.1.4.2)

Root Cause Analysis

When created the list for the bug #1886624 “certSIGN: Certificates with incorrect Subject attribute order”, we included the certificate above: crt.sh/?serial=234F86B9A9DC729F0531.
The fix was to revoke all valid certificates, and as this certificate was expired, it remained as it is.

Action Item Kind Due Date
Replace the certificate Correct 2025-03-21
Quarterly review Prevent permanent/quarterly

Finding #5

Conflicting information in "Certification Practice Statement certSIGN Web CA for DV SSL Certificates" on chapter 3.2.2.1 Identity. (ETSI EN 319 411-1 REG-6.2.2-03A)

Root Cause Analysis

Typo error. On the yearly update a previously deleted text in a paragraph was restored by error and was not viewed and corrected by the verifier.

Action Item Kind Due Date
Update the CPS Correct 2025-03-21
Update Review process Prevent 2025-06-01
Assignee: nobody → gabriel.petcu
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]
Type: enhancement → task

Should a separate bug be opened for each of these issues? These fall under different root causes with different questions and community discussion:

Finding #1 and #5 - Incorrect CPS information where information was unintentionally changed. For these two findings, we probably want to look at the process in place to review CPS and changes and the approval process.

Finding #2 and #3 and #4- Cert profiles going outside the flow or have incorrect information. Does that means these certs were not being linted?? What other checks were skipped?

[In response to Comment 1]

The existing CCADB Policy still references the concept of an “Audit Incident Report” - which is what certSIGN appears to have disclosed here.

When the CCADB Steering Committee updated the CCADB Incident Reporting Guidelines (IRGs), the corresponding “Audit Incident Report” guidance was removed under the expectation that all incident reports would follow the same reporting process going forward. In part, this change was motivated by the public discussion process.

Recently announced, the CCADB Steering Committee is working on an update to the CCADB Policy - which further removes the concept of an “Audit Incident Report” from CCADB.org - and will hopefully reduce opportunities for confusion.

While the IRGs offer some degree of flexibility related to the scope of reports (“There SHOULD be a single Incident Report for each distinct matter, and CA Owners MUST submit an additional, separate Incident Report when…”), from Chrome’s view, we would prefer distinct reports for each issue/audit finding using the current IRG templates to allow more thoughtful root cause analysis and evaluation of action items.

We will submit separate tickets for each finding, using the recommended template.

I have opened separate tickets for each audit finding:

I propose the closing of this preliminary audit report.

If no further requirements we propose to close this incident.

I think this can be closed because five other incident reports have been opened that replace this incident report.

Status: ASSIGNED → RESOLVED
Closed: 3 days ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.