Closed Bug 1965804 Opened 9 months ago Closed 8 months ago

certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #1 – Improve clarity in CPS

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gabriel.petcu, Assigned: gabriel.petcu)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Full Incident Report

Finding #1 – Improve clarity in CPS

Summary

On CPS "certSIGN Web CA for QWAC & EV Certificates" the association of each policy identifier with each specific OID was not explicit (ETSI EN 319 411-1 OVR-7.1-02)

  • CA Owner CCADB unique ID: A000013
  • Incident description: The policy identifiers acronyms were not specified in the CPS schema from Chapter 1.3.1. Also an explicit mapping of the policies acronyms existed on “Table 7.6.Policies identifiers and their names”, the auditors insisted to add also the acronyms ‘EVCP’, respective ‘QEVCP-w’ in the schema from chapter 1.3.1.
  • Timeline summary:
    • Non-compliance start date: N/A
    • Non-compliance identified date: 29-Apr-2025
    • Non-compliance end date: 30-Apr-2025
  • Relevant policies: certSIGN Web CA for QWAC & EV Certificates version 1.31
    Considered insufficient in: chapter 1.3.1 Certification Authorities;
    Already existing in: Table 7.4a. Qualified TLS QWAC certificate extensions; Table 7.4b. TLS EV certificate extensions; Table 7.6.Policies identifiers and their names.
  • Source of incident disclosure:

CAB-Forum_AAL_Standard_Audit_1612-377-v2.pdf

CAB-Forum_AAL_TLS-BR_Audit_1612-377-v2.pdf

CAB-Forum_AAL_TLS-EV_Audit_1612-377-v2.pdf

Impact

There is no impact as the policies were already specified in the CPS.

  • Total number of certificates: 0 (N/A)
  • Total number of "remaining valid" certificates: 0 (N/A)
  • Affected certificate types: This incident was related to EV certificates
  • Incident heuristic: No certificates had been affected
  • Was issuance stopped in response to this incident, and why or why not?: No, as no certificates had been affected.
  • Analysis: This was actually an improvement, for better clarity.
  • Additional considerations: To improve clarity for the readers it is better to display also the acronyms within the schemas in the public documents.

Timeline

All the times are UTC time.

29-Apr-2025 13:06 – Awareness of the incident - email receiving the Audit Attestation Letters from the auditors.

29-Apr-2025 15:00 – Internal certSIGN meeting discussing and validating the update with the acronymes on the CPS schema to be applied.

29-Apr-2025 16:00 - Approval of the certSIGN Committee for publication of version 1.32 of the CPS with effective date 30-Apr-2025

29-Apr-2025 17:00 – Publication of the CPS certSIGN Web CA for QWAC & EV Certificates version 1.32 in the Repository.

30-Apr-2025 09:53 – Open preliminary report - Bugzilla ticket Bug 1963546

Related Incidents

N/A

Bug Date Description
[Related Bug ID](Related Bug URL) Date Related Bug was opened A description of how the subject Bug is related to the Bug referenced.

Root Cause Analysis

Root Cause #1

Contributing Factor #: title Inconsistency on similar updates for multiple CPSes

  • Description: An improvement was applied on the 15 January 2025 versions of the DV and OV CPSes by adding the policy acronymes to the PKI System OIDs schema in chapter 1.3.1. The same improvement was not applied to the QWAC&EV CPS and the verification process did not considered any issue.
  • Timeline: On the yearly update of the CPSes from 15 of January 2025, the PKI Policies Manager of certSIGN introduced an improvement by adding the policies acronyms to the PKI System OIDs schema for the DV CPS and for the OV CPS.
    During the ETSI annual audit held on the beginning of February 2025, the auditors remarked the change and welcomed it, for the DV CPS and for the OV CPS.
    In March 2025 the QWAC&EV CPS was updated to include the acronymes in the schema, and the change was schedulled for aproval.
  • Detection: . The mapping of the policies OIDs and acronyms already existed in all the CPSes, in Table 7.6, so the minor inconsistency between the different CPSes passed without any remarks on the internal verifications sustained during the yearly review. After the audit, the auditors considered that the improvement should be applied also to the QWAC&EV CPS and marked it as a finding in the AAL.
  • Interaction with other factors: N/A
  • Root Cause Analysis methodology used: N/A

Lessons Learned

  • What went well: We have an improvement on the readability of the CPSes.
  • What didn’t go well: We had an inconsistency between the CPSes not-observed.
  • Where we got lucky: There is no impact on the certificates nor on the users.
  • Additional: We improved our verification process.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Correct the CPS Correct Root Cause # 1 Compare TLS CPSes 2025-03-21 Complete
Publish the CPS Correct Root Cause # 1 Check site 2025-04-30 Complete
Quarterly review Prevent Root Cause # 1 Internal audit Report quarterly Ongoing

Appendix

N/A

Assignee: nobody → gabriel.petcu
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

As requested in Comment 3 – by chrome-root-program - in https://bugzilla.mozilla.org/show_bug.cgi?id=1965807
the updates for this issue are:
(1) Subject line” - the Title was appended with: "– Improve clarity in CPS"
(2) “Source of incident disclosure” is "Audit"
(3) "Timeline" - add: 15-Jan-2025 16:00 Publication of the annual updates of all certSIGN CPSes
(4) “Related Incidents” - no change
(5) “Root Cause Analysis” - no change
(6) “Lessons Learned” - no change
(7) “Action Items” - replace "Correct" with "Mitigate"

Summary: certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #1 → certSIGN: Findings in 2025 ETSI Audit - Audit Incident Report #1 – Improve clarity in CPS

If no other questions are for this report, as all the actions are completeted, we propose to close it.

Closure Report

Report Closure Summary

  • Incident description: The policy identifiers acronyms were not specified in the CPS schema from Chapter 1.3.1. Also an explicit mapping of the policies acronyms existed on “Table 7.6.Policies identifiers and their names”, the auditors insisted to add also the acronyms ‘EVCP’, respective ‘QEVCP-w’ in the schema from chapter 1.3.1.
  • Incident Root Cause(s): An improvement was applied to a set of CPSes for better clarity. The same improvement was not applied to a similar CPS and the verification process did not considered any issue.
  • Remediation description: Apply the same improvement to all the similar CPSes.
  • Commitment summary: Permanently add, to the yearly Internal Audit Plan, an overall verification of the updates proposed to public documents, done by a third party, like the internal auditor, checking the consistency between all the documents changes.

All Action Items disclosed in this report have been completed as described, and we request its closure.

Flags: needinfo?(incident-reporting)

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2025-06-11.

Whiteboard: [ca-compliance] [audit-finding] → [close on 2025-06-11] [ca-compliance] [audit-finding]
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Flags: needinfo?(incident-reporting)
Resolution: --- → FIXED
Whiteboard: [close on 2025-06-11] [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.