Closed Bug 1974198 Opened 4 months ago Closed 2 months ago

SHECA: New CPS disclosure of CCADB exceeds the required 14-day deadline

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wangjiatai, Assigned: wangjiatai)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

Preliminary Incident Report

Summary

Assignee: nobody → wangjiatai
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [disclosure-failure]
Component: Common CA Database → CA Certificate Compliance

Since the report needs to be reviewed and released by the Compliance Department, SHECA will release a complete report on July 8, 2025!

Full Incident Report

Summary

  • CA Owner CCADB unique ID:

    Shanghai Electronic Certification Authority Co., Ltd.

  • Incident description:

    SHECA failed to publish the new version of CPS to CCADB within 14 days after it came into effect, which violated the relevant provisions of Section 2.3 of Chrome Root Program Policy v1.6 (https://googlechrome.github.io/chromerootprogram/#23-policy-disclosures)

  • Timeline summary:

    • Non-compliance start date:

      May 25, 2025

    • Non-compliance identified date:

      June 25, 2025

    • Non-compliance end date:

      June 25, 2025

  • Relevant policies:

    Chrome Root Program Policy v1.6 Section 2.3 (https://googlechrome.github.io/chromerootprogram/#23-policy-disclosures) states:

    2.3 Policy Disclosures

    The Chrome Root Program considers CA policy documentation disclosed to the CCADB to be authoritative. Before corresponding policy changes are put into practice, Chrome Root Program Participants:

    • MUST minimally ensure the updated versions of a CA's policy document(s) are uploaded to their own publicly accessible repository, and
    • SHOULD ensure the updated versions of a CA's policy document(s) are submitted to the CCADB within 7 calendar days of the policy document's effective date, but MUST do so within 14 calendar days.

  • Source of incident disclosure:

    Third Party Reported

Impact

  • Total number of certificates:

    None

  • Total number of "remaining valid" certificates:

    None

  • Affected certificate types:

    None

  • Incident heuristic:

    None

  • Was issuance stopped in response to this incident, and why or why not?:

    None

  • Analysis:

    None

  • Additional considerations:

    None

Timeline

Related Incidents

None

Root Cause Analysis

Contributing Factor #: The CPS release process is too long

  • Description:

    Due to the complex internal CPS approval process of SHECA, it requires at least three members of the Safety Committee to complete the review, and the relevant person in charge to initiate the internal OA process before it can be disclosed to the public. The entire process usually takes more than 10 days. This CPS update has a lot of content, and the Safety Committee review took more than two weeks, resulting in a delay in the release time.

  • Timeline:

    All timestamps are Beijing time (UTC+8)

    • **2025-02-30 ** SHECA's compliance department made internal announcements on some changes to Chrome Root Program Policy, Version 1.6, requiring relevant persons in charge to update to CCADB within 14 days after the CPS is updated.
    • **2025-04-30 ** SHECA initiated the safety committee review process to review the new version of CPS. Due to the large amount of content in this revision, the review work will not be completed until 2025-05-12.
    • 2025-05-12 The relevant person in charge shall revise the CPS according to the opinions of the Safety Committee and resubmit it.
    • 2025-05-14 10:53 After three rounds of revisions, the Safety Committee officially approved this CPS update.
    • 2025-05-14 13:54 ** The relevant person in charge initiated the process of disclosing the new version of CPS to the outside world.
    • 2025-05-15 The new version of CPS was successfully disclosed on the Internet.
    • 2025-05-15 The new version of CPS is uploaded to CCADB simultaneously.

  • Detection:

  • Interaction with other factors:

  • Root Cause Analysis methodology used:

    The CPS release process was too long and lacked a secondary confirmation mechanism, which led to this incident.

Lessons Learned

  • What went well:

    None

  • What didn’t go well:

    None

  • Where we got lucky:

    None

  • Additional:

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
The CPS release process is too long Prevent The CPS release process is too long To ensure the smooth progress of the subsequent process, SHECA has adjusted its internal process and requires that the CPS safety committee review must be completed within 7 days to leave sufficient time for subsequent modification, disclosure and CCADB upload. 2025-07-12 Ongoing
Lack of a secondary verification step Prevent Lack of a secondary verification step The compliance department must participate in the entire CPS release process and check whether the new version of CPS has been successfully uploaded to CCADB within 14 days after the revision is completed. 2025-07-12 Ongoing

Appendix

None

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
The CPS release process is too long Prevent The CPS release process is too long To ensure the smooth progress of the subsequent process, SHECA has adjusted its internal process and requires that the CPS safety committee review must be completed within 7 days to leave sufficient time for subsequent modification, disclosure and CCADB upload. 2025-07-12 Completed
Lack of a secondary verification step Prevent Lack of a secondary verification step The compliance department must participate in the entire CPS release process and check whether the new version of CPS has been successfully uploaded to CCADB within 14 days after the revision is completed. 2025-07-12 Completed

If there are no other questions, SHECA will release the final case this Friday.

This report has gone stale.

Flags: needinfo?(wangjiatai)

Report Closure Summary

  • Incident description:

    SHECA failed to publish the new version of CPS to CCADB within 14 days after it came into effect, which violated the relevant provisions of Section 2.3 of Chrome Root Program Policy v1.6 (https://googlechrome.github.io/chromerootprogram/#23-policy-disclosures)

  • Incident Root Cause(s):

    Due to the complex internal CPS approval process of SHECA, it requires at least three members of the Safety Committee to complete the review, and the relevant person in charge to initiate the internal OA process before it can be disclosed to the public. The entire process usually takes more than 10 days. This CPS update has a lot of content, and the Safety Committee review took more than two weeks, resulting in a delay in the release time.

  • Remediation description:

    1. Shorten the time required for the CPS release process.
    2. Verify that the new CPS version is uploaded to ccabd within 14 days of release.

  • Commitment summary:

    SHECA will continue to optimize its internal operating processes and gradually promote the transformation of CA operations that require manual participation to automation to reduce human errors.

All Action Items disclosed in this report have been completed as described, and we request its closure.

Flags: needinfo?(wangjiatai)

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2025-08-25.

Flags: needinfo?(incident-reporting)
Whiteboard: [ca-compliance] [disclosure-failure] → [close on 2025-08-25] [ca-compliance] [disclosure-failure]
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Flags: needinfo?(incident-reporting)
Resolution: --- → FIXED
Whiteboard: [close on 2025-08-25] [ca-compliance] [disclosure-failure] → [ca-compliance] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.