Closed Bug 1973238 Opened 5 months ago Closed 1 month ago

Actalis: incorrect CP/S Last Update date in CCADB

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: adriano.santoni, Assigned: adriano.santoni)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

Steps to reproduce:

Preliminary Incident Report

Summary

  • Incident description: On June 18, 2025, we became aware that, for our CPS version 5.17, the 'CP/CPS Last Updated Date' stated on CCADB is '2025.01.15', however our CPS v5.17 was issued on 2025.03.11, so the date is incorrect.
  • Relevant policies: CCADB Policy. Chrome Root Program Policy. Mozilla Root Store Policy.
  • Source of incident disclosure: Third party reported.
Assignee: nobody → adriano.santoni
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [disclosure-failure]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000001
  • Incident description: Missing Disclosure of Updated CP/S Documents in the CCADB.
  • Timeline summary: Actalis: incorrect CP/S Last Update date in CCADB
    • Non-compliance start date: 2025-03-11;
    • Non-compliance identified date: 2025-06-18;
    • Non-compliance end date: 2025-06-20.
  • Relevant policies: Chrome Root Program, Section 2.3: Policy Disclosures, CCADB Section 4, Mozilla Root Store Policy Section 4.
  • Source of incident disclosure: Third party reported

Impact

  • Total number of certificates: 0
  • Total number of "remaining valid" certificates: All of them
  • Affected certificate types: 0
  • Incident heuristic: The incident had no effect on the certificates issued by Actalis.
  • Was issuance stopped in response to this incident, and why or why not?: No, issuance has not been stopped.
  • Analysis: N/A.
  • Additional considerations: //

Timeline

All times are CEST.

  • 2025-01-15 - Actalis CPS version 5.16 was released
  • 2025-02-11 - 11:13 PM - We opened Case #2249 to update our CCADB with Policy Document Effective date on 2025-01-15
  • 2025-03-11 - Actalis CPS version 5.17 was released
  • 2025-06-18 - Actalis CPS version 5.18 was released
  • 2025-06-18 - 23:27 PM - Actalis receives an external non-compliance report regading a wrong "Last Updated" date of our CPS v5.17 as dislosed to the CCADB;
  • 2025-06-19 - 7:19 AM - Actalis opens Case #2488 on CCADB to create a new Non-Audit Document Type CP/CPS (ID-7206) and set Policy Document Effective Date on 2025-06-18;
  • 2025-06-19 - 07:49 AM - A feedback was given to the external reporter
  • 2025-06-20 - 04:48 AM - The Case #2488 on CCADB was closed with Non-Audit Documents Data Synced
  • 2025-06-20 - 06:29 AM - Preliminary Incident Report was opened in Bugzilla
  • 2025-06-20 - After the closure of the CCADB Case, Actalis selects as supersed the previous version of the CP/S.

Related Incidents

Bug Date Description
1967951 2025-05-22 DFNMT: Delayed Disclosure of Updated Policy Documents in the CCADB
1948600 2025-02-17 IZENPE: Outdated CPS for Izenpe Root

Root Cause Analysis

Contributing Factor 1: Process failure in updating the CCADB after the release of CPS v.17

  • Description: On June 18, 2025, we received a report from a third party indicating that the "Last Update" date for our CPS v5.17, as disclosed on the CCADB, was incorrect; The CCADB listed January 15, 2025, whereas the actual release date of CPS v5.17 was March 11, 2025.

A few days ago we still believed that the discrepancy was due to a typo in Case 2249 ("non-audit documents" section), and asked CCADB Support (on June 23) to update that record for us (which they did). However, after further investigation we realized that the data we entered into Case 2249 (specifically the "CP/CPS Last Updated Date") was actually correct, in that Case 2249 was submitted after release of our CPS v5.16, not v5.17 (as mentioned by the problem reporter).

So, in reality, our mistake was that of not having updated the CCADB following the release of our CPS 5.17 (which was on March 11).

It is important to note that throughout this time, the CPS documents were correctly published and maintained on Actalis' official website.

At last, the CCADB database was updated correctly during the submission for CPS v5.18, but by then the v5.17 update had been skipped

  • Timeline: as described above.
  • Detection: Third party reported on 2025-06-18.
  • Interaction with other factors: The non-compliance report was received on the days scheduled for updating the CPS to version 5.18 (June 18, 2025).
  • Root Cause Analysis methodology used: 5 Whys

Lessons Learned

  • What went well: Actalis has consistently kept its policy documents up to date on its website. The links to these documents remain unchanged when a new version is published, ensuring the latest versions are always accessible.

  • What didn’t go well: Actalis's periodic review of information posted on CCADB did not intercept the skipped publication.
    In addition, at first, we incorrectly assumed that the reported issue was due to a typo in the CCADB record for CPS v5.17. This initial misunderstanding delayed the identification of the real root cause.

  • Where we got lucky: A new version, v.5.18 of the CPS was being published on the day the non-compliance was reported, which it would have led us to detect and correct the discrepancy on our own.

  • Additional: //.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Adding an internal mandatory verification step to confirm CCADB updates immediately after every CPS release. Prevent Root Cause # 1 Internal Audit will verify if it will be respected 2025-07-31 Ongoing
Version logging: A centralized release log will be established to link each CPS version to its corresponding CCADB submission date. Prevent Root Cause # 1 The publication of the CPS on our website will be aligned with the CCADB database updating process 2025-07-15 Ongoing
Procedure Review and Training: The CCADB submission procedure will be improved to clarify responsibilities and version tracking. A Refresher training will be held for the PKI and Compliance teams. Prevent Root Cause # 1 Training Results will verify the new processes and responsibilities will be followed 2025-09-30 Ongoing

Appendix

N/A. This incident has not any impact to issued certificates.

Weekly Update

We are on track with the planned action items.
In the meantime, we are continuing to monitor this bug.

Weekly Update

Our second action Item ("centralized release log will be established to link each CPS version to its corresponding CCADB submission date") has been completed. The other two action items are in progress.

In the meantime, we are continuing to monitor this bug.

Weekly Update

We are on track with the remaining planned action items.
In the meantime, we are continuing to monitor this bug.

Weekly Update

The first action item ("Adding an internal mandatory verification step to confirm CCADB updates immediately after every CPS release") has also been completed.
The last one ("The CCADB submission procedure will be improved to clarify responsibilities and version tracking. A Refresher training will be held for the PKI and Compliance teams.") is in progress.

In the meantime, we are continuing to monitor this bug.

Weekly Update

We are working on the last planned action item.
In the meantime, we are continuing to monitor this bug.

Weekly Update

We are working on the last planned action item.
In the meantime, we are continuing to monitor this bug.

Weekly Update

We are working on the last planned action item.
In the meantime, we are continuing to monitor this bug.

Weekly Udpate

We are working on the last planned action item.
In the meantime, we are continuing to monitor this bug.

Weekly Udpate

We are working on the last planned action item.
In the meantime, we are continuing to monitor this bug.

Weekly update

We are working on the last planned action item.
In the meantime, we are continuing to monitor this bug.

Report Closure Summary

  • Incident description: The CCADB wasn’t updated after releasing CPS v5.17 on March 11, 2025.
    The situation was fixed with the next version (v5.18) on June 18, 2025. However all the CPS documents were always correctly available on Actalis’ website.

  • Incident Root Cause(s): The issue was caused by human error (skipped activity) in following our internal disclosure procedure after the release of CPS v5.17 on March 11, 2025. In addition, Actalis's periodic reviews of the information posted on CCADB did not intercept the skipped publication.

  • Remediation description: Actalis has reinforced the CPS release process by introducing internal verification checks and a centralized version log to keep CCADB updates aligned with new releases. With clearer procedures and refresher training, these measures are designed to prevent similar errors going forward.

  • Commitment summary: To further improve reliability, Actalis will continue to enhance its disclosure processes through proactive monitoring of CCADB submissions and cases, regular cross-team reviews, and periodic internal audit checks.
    Emphasis will be placed on reinforcing accountability and maintaining correct information and documentation, so that even minor discrepancies are promptly detected and prevented in the future.

All Action Items disclosed in this report have been completed as described, and we request its closure.

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2025-09-22.

Flags: needinfo?(incident-reporting)
Whiteboard: [ca-compliance] [disclosure-failure] → [close on 2025-09-22] [ca-compliance] [disclosure-failure]
Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Flags: needinfo?(incident-reporting)
Resolution: --- → FIXED
Whiteboard: [close on 2025-09-22] [ca-compliance] [disclosure-failure] → [ca-compliance] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.