Open Bug 1973238 Opened 2 months ago Updated 1 day ago

Actalis: incorrect CP/S Last Update date in CCADB

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: adriano.santoni, Assigned: adriano.santoni)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

Steps to reproduce:

Preliminary Incident Report

Summary

  • Incident description: On June 18, 2025, we became aware that, for our CPS version 5.17, the 'CP/CPS Last Updated Date' stated on CCADB is '2025.01.15', however our CPS v5.17 was issued on 2025.03.11, so the date is incorrect.
  • Relevant policies: CCADB Policy. Chrome Root Program Policy. Mozilla Root Store Policy.
  • Source of incident disclosure: Third party reported.
Assignee: nobody → adriano.santoni
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [disclosure-failure]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000001
  • Incident description: Missing Disclosure of Updated CP/S Documents in the CCADB.
  • Timeline summary: Actalis: incorrect CP/S Last Update date in CCADB
    • Non-compliance start date: 2025-03-11;
    • Non-compliance identified date: 2025-06-18;
    • Non-compliance end date: 2025-06-20.
  • Relevant policies: Chrome Root Program, Section 2.3: Policy Disclosures, CCADB Section 4, Mozilla Root Store Policy Section 4.
  • Source of incident disclosure: Third party reported

Impact

  • Total number of certificates: 0
  • Total number of "remaining valid" certificates: All of them
  • Affected certificate types: 0
  • Incident heuristic: The incident had no effect on the certificates issued by Actalis.
  • Was issuance stopped in response to this incident, and why or why not?: No, issuance has not been stopped.
  • Analysis: N/A.
  • Additional considerations: //

Timeline

All times are CEST.

  • 2025-01-15 - Actalis CPS version 5.16 was released
  • 2025-02-11 - 11:13 PM - We opened Case #2249 to update our CCADB with Policy Document Effective date on 2025-01-15
  • 2025-03-11 - Actalis CPS version 5.17 was released
  • 2025-06-18 - Actalis CPS version 5.18 was released
  • 2025-06-18 - 23:27 PM - Actalis receives an external non-compliance report regading a wrong "Last Updated" date of our CPS v5.17 as dislosed to the CCADB;
  • 2025-06-19 - 7:19 AM - Actalis opens Case #2488 on CCADB to create a new Non-Audit Document Type CP/CPS (ID-7206) and set Policy Document Effective Date on 2025-06-18;
  • 2025-06-19 - 07:49 AM - A feedback was given to the external reporter
  • 2025-06-20 - 04:48 AM - The Case #2488 on CCADB was closed with Non-Audit Documents Data Synced
  • 2025-06-20 - 06:29 AM - Preliminary Incident Report was opened in Bugzilla
  • 2025-06-20 - After the closure of the CCADB Case, Actalis selects as supersed the previous version of the CP/S.

Related Incidents

Bug Date Description
1967951 2025-05-22 DFNMT: Delayed Disclosure of Updated Policy Documents in the CCADB
1948600 2025-02-17 IZENPE: Outdated CPS for Izenpe Root

Root Cause Analysis

Contributing Factor 1: Process failure in updating the CCADB after the release of CPS v.17

  • Description: On June 18, 2025, we received a report from a third party indicating that the "Last Update" date for our CPS v5.17, as disclosed on the CCADB, was incorrect; The CCADB listed January 15, 2025, whereas the actual release date of CPS v5.17 was March 11, 2025.

A few days ago we still believed that the discrepancy was due to a typo in Case 2249 ("non-audit documents" section), and asked CCADB Support (on June 23) to update that record for us (which they did). However, after further investigation we realized that the data we entered into Case 2249 (specifically the "CP/CPS Last Updated Date") was actually correct, in that Case 2249 was submitted after release of our CPS v5.16, not v5.17 (as mentioned by the problem reporter).

So, in reality, our mistake was that of not having updated the CCADB following the release of our CPS 5.17 (which was on March 11).

It is important to note that throughout this time, the CPS documents were correctly published and maintained on Actalis' official website.

At last, the CCADB database was updated correctly during the submission for CPS v5.18, but by then the v5.17 update had been skipped

  • Timeline: as described above.
  • Detection: Third party reported on 2025-06-18.
  • Interaction with other factors: The non-compliance report was received on the days scheduled for updating the CPS to version 5.18 (June 18, 2025).
  • Root Cause Analysis methodology used: 5 Whys

Lessons Learned

  • What went well: Actalis has consistently kept its policy documents up to date on its website. The links to these documents remain unchanged when a new version is published, ensuring the latest versions are always accessible.

  • What didn’t go well: Actalis's periodic review of information posted on CCADB did not intercept the skipped publication.
    In addition, at first, we incorrectly assumed that the reported issue was due to a typo in the CCADB record for CPS v5.17. This initial misunderstanding delayed the identification of the real root cause.

  • Where we got lucky: A new version, v.5.18 of the CPS was being published on the day the non-compliance was reported, which it would have led us to detect and correct the discrepancy on our own.

  • Additional: //.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Adding an internal mandatory verification step to confirm CCADB updates immediately after every CPS release. Prevent Root Cause # 1 Internal Audit will verify if it will be respected 2025-07-31 Ongoing
Version logging: A centralized release log will be established to link each CPS version to its corresponding CCADB submission date. Prevent Root Cause # 1 The publication of the CPS on our website will be aligned with the CCADB database updating process 2025-07-15 Ongoing
Procedure Review and Training: The CCADB submission procedure will be improved to clarify responsibilities and version tracking. A Refresher training will be held for the PKI and Compliance teams. Prevent Root Cause # 1 Training Results will verify the new processes and responsibilities will be followed 2025-09-30 Ongoing

Appendix

N/A. This incident has not any impact to issued certificates.

Weekly Update

We are on track with the planned action items.
In the meantime, we are continuing to monitor this bug.

Weekly Update

Our second action Item ("centralized release log will be established to link each CPS version to its corresponding CCADB submission date") has been completed. The other two action items are in progress.

In the meantime, we are continuing to monitor this bug.

Weekly Update

We are on track with the remaining planned action items.
In the meantime, we are continuing to monitor this bug.

Weekly Update

The first action item ("Adding an internal mandatory verification step to confirm CCADB updates immediately after every CPS release") has also been completed.
The last one ("The CCADB submission procedure will be improved to clarify responsibilities and version tracking. A Refresher training will be held for the PKI and Compliance teams.") is in progress.

In the meantime, we are continuing to monitor this bug.

Weekly Update

We are working on the last planned action item.
In the meantime, we are continuing to monitor this bug.

Weekly Update

We are working on the last planned action item.
In the meantime, we are continuing to monitor this bug.

Weekly Update

We are working on the last planned action item.
In the meantime, we are continuing to monitor this bug.

You need to log in before you can comment on or make changes to this bug.