Open Bug 1973034 Opened 2 days ago Updated 1 day ago

Certigna: Finding #3 ETSI Audit – Event log protection beyond seven years shall be improved

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: j.allemandou, Assigned: j.allemandou)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Full Incident Report

Findings with regard to ETSI EN 319 411-1:
6.4.6 Records archival
Event log protection beyond seven years shall be improved. [OVR-6.4.6-01]

Summary

  • CA Owner CCADB unique ID: A000011

  • Incident description: Logs are retained for 7 years after the expiry of the associated certificates, however, the log integrity protection tool was configured for 7 years only.

  • Timeline summary:

    • Non-compliance start date: 2024-03-13
    • Non-compliance identified date: 2025-03-28
    • Non-compliance end date: 2025-05-27

  • Relevant policies: ETSI EN 319 411-1 V1.4.1 (2023-10)

  • Source of incident disclosure:
    CAB-Forum_AAL_Certigna_Standard_Audit_2025_V3_S.3
    CAB-Forum_AAL_Certigna_TLS-BR_Audit_2025_V3_S.3
    CAB-Forum_AAL_Certigna_TLS-EV_Audit_2025_V3_S.3
    CAB-Forum_AAL_Certigna_SMIME-BR_Audit_2025_V3_S.3
    CAB-Forum_AAL_Certigna_CS-BR_Audit_2025_V3_S.3

Impact

No impact identified on certificates.

  • Total number of certificates: (N/A)
  • Total number of "remaining valid" certificates: (N/A)
  • Affected certificate types: (N/A)
  • Incident heuristic: No certificates affected (N/A)
  • Was issuance stopped in response to this incident, and why or why not?: (N/A)
  • Analysis: (N/A)
  • Additional considerations: (N/A)

Timeline

All times are now UTC.

2024-03-13: Protection of Log repositories for archiving were set to a maximum of 7 years for logs linked to new short-lived certificates with a lifetime of 30 minutes. The associated logs therefore had to be deleted within 7 years and 30 minutes.
2025-03-28: An auditor identified the limitation of the log protection configuration set at 7 years for all logs, and not only logs linked to short-lived certificates.
2025-05-16: Receipt of the audit report with validation of proposed actions to address deviations.
2025-05-16: Update of logging procedure to reinforce guidelines for configuring protection of archived logs and regular monitoring of this configuration.
2025-05-16: Raising team awareness of archived log protection configuration and new guidelines.
2025-05-19: Update of repository configurations to adapt the duration of protection considering the lifetime of the associated certificates.
2025-05-27: Validation of deviation resolution by auditor after analysis of log repository configurations and associated procedure.

Related Incidents

N/A

Root Cause Analysis

Contributing Factor #1: Creation of new short-lived certificate profiles with logs to be deleted after seven years and 30 minutes.

  • Description: Protection of Log repositories for archiving were set to a maximum of 7 years for logs linked to new short-lived certificates with a lifetime of 30 minutes. The associated logs therefore had to be deleted within 7 years and 30 minutes.
  • Timeline: Generation of new certificate profiles, and update of log repository protection configurations to enable log deletion after certificate expiration.
  • Detection: The ETSI auditor identified the limitation of the log protection configuration set at 7 years for all logs.
  • Interaction with other factors: N/A
  • Root Cause Analysis methodology used: 5-Whys

Lessons Learned

  • What went well: Archived and required logs were still available on the depots, and extended protection has been correctly configured.
  • What didn’t go well: The configuration of integrity log protection was not adapted to the different certificate lifetimes.
  • Where we got lucky: Archived and required logs were still available on the depots, because the log deletion scripts were correctly configured for deletion, considering the lifetimes of the associated certificates.
  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Update of logging procedure to reinforce guidelines for configuring protection of archived logs and regular monitoring of this configuration Detect Root Cause # 1 Should reduce the occurrence of this type of non-compliance 2025-05-16 Complete
Raising team awareness of archived log protection configuration and new guidelines Detect Root Cause # 1 Should reduce the occurrence of this type of non-compliance 2025-05-16 Complete
Update of repository configurations to adapt the duration of protection considering the lifetime of the associated certificates Mitigate Root Cause # 1 Correctly configured and controlled protection 2025-05-19 Complete

Appendix

Details of affected certificates
No certificates affected (N/A)

Report Closure Summary

  • Incident description: Logs are retained for 7 years after the expiry of the associated certificates, however, the log integrity protection tool was configured for 7 years only.
  • Incident Root Cause(s): Protection of Log repositories for archiving were set to a maximum of 7 years for logs linked to new short-lived certificates with a lifetime of 30 minutes. The associated logs therefore had to be deleted within 7 years and 30 minutes.
  • Remediation description: Logging procedure has been updated to reinforce guidelines for configuring protection of archived logs and regular monitoring of this configuration. Teams have been made aware of the new guidelines and have updated the configuration of the protection of log archiving repositories.
  • Commitment summary: Increased configuration and controls for archived log protection.

All Action Items disclosed in this report have been completed as described, and we request its closure.

Assignee: nobody → j.allemandou
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.