Closed Bug 1970559 Opened 10 months ago Closed 9 months ago

ANF AC: Finding #3 ETSI Audit - Improve documental explanation revocation request >24h on CPS

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pablo, Assigned: pablo)

Details

(Whiteboard: [ca-compliance] [audit-finding])

6.2.4 Identification and authentication for revocation requests Revocation exception procedure documental explanation shall be improved when the revocation request cannot be confirmed within 24 hours. [REV-6.2.4-03BA]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000269

  • Incident description: Our CPS described that, in the event a revocation request could not be confirmed within 24 hours, the actions taken and the reasons for the delay would be recorded. However, during the ETSI EN 319 411-1 audit, it was determined that this explanation was insufficient, as it did not specify what concrete actions ANF AC would take in such a scenario. The non-conformity was raised under requirement [REV-6.2.4-03BA].

  • Timeline summary:

    • Non-compliance start date: N/A
    • Non-compliance identified date: March 13th, 2025
    • Non-compliance end date: March 14th, 2025

  • Relevant policies:

    • ANF AC Certification Practices Statement (CPS) v.3.9 - OID 1.3.6.1.4.1.18332.1.9.1.1.

  • Source of incident disclosure: Detected by external auditor during the annual conformity assessment audit.

Impact

  • Total number of certificates: 0
  • Total number of "remaining valid" certificates: 0
  • Affected certificate types: N/A
  • Incident heuristic: N/A
  • Was issuance stopped in response to this incident, and why or why not?: No. This was a documentation issue related to the level of detail in the description of the revocation procedure. The omission did not affect the validity or issuance of any certificates, nor the operation of revocation mechanisms. Immediate revocation channels remained functional at all times.
  • Analysis: Although the Certification Practice Statement indicated that actions would be recorded if revocation confirmation was not possible within 24 hours, it did not specify what concrete escalation or remediation steps would be taken. This lack of procedural detail was flagged by the auditor. The issue has since been addressed by explicitly describing the internal escalation process, immediate notification to the Security Officer, and the implementation of corrective actions in such scenarios.
  • Additional considerations: ANF AC offers automated revocation mechanisms that allow immediate certificate revocation by the subscriber, without the need to wait for manual confirmation from ANF AC. These mechanisms were operational and compliant at all times. The documentation has been updated to reflect this and clarify the escalation measures in case of exceptional delays.

Timeline

Related Incidents

N/A

Root Cause Analysis

Contributing Factor #1: Insufficient procedural detail in documentation

  • Description: The CPS document lacked specific procedural detail regarding the escalation path or concrete steps to be followed in cases where revocation confirmation could not occur within 24 hours.
  • Timeline: The insufficient wording was present in the version of the DPC in effect at the time of the audit (February 2024). The issue was corrected with the update of the DPC following the audit.
  • Detection: The deficiency was identified by the external auditor during the conformity assessment.
  • Interaction with other factors: N/A

Lessons Learned

  • What went well: The operational mechanisms for immediate revocation were functioning properly and were never impacted. The internal security and escalation procedures were already in place and effective in practice.
  • What didn’t go well: The documentation did not fully reflect the internal escalation process or the measures taken in cases of delayed revocation confirmation. - Where we got lucky: No incidents occurred in which a revocation could not be confirmed within 24 hours.
  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Update the DPC to explicitly describe the escalation procedure and corrective actions in case a revocation request cannot be confirmed within 24 hours. Corrective Root Cause # 1 N/A 2025-03-14 Complete

Appendix

Report Closure Summary

  • Incident description: The CPS did not sufficiently explain what actions would be taken if a revocation request could not be confirmed within 24 hours. Although it stated that actions would be recorded and justified, the lack of a detailed explanation led to a non-conformity under ETSI EN 319 411-1.
  • Incident Root Cause(s): Insufficient procedural detail in the documentation.
  • Remediation description: The DPC has been updated to include a clear escalation procedure. It now specifies that, in such cases, an internal escalation is triggered, the Security Officer is notified, actions are documented, and corrective measures are implemented.
  • Commitment summary: ANF AC commits to regularly reviewing its policy documents to ensure operational procedures are fully and clearly reflected.

All Action Items disclosed in this report have been completed as described, and we request its closure.

Assignee: nobody → pablo
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2025-07-08.

Flags: needinfo?(incident-reporting)
Whiteboard: [ca-compliance] [audit-finding] → [close on 2025-07-08] [ca-compliance] [audit-finding]
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Flags: needinfo?(incident-reporting)
Resolution: --- → FIXED
Whiteboard: [close on 2025-07-08] [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.