Closed Bug 1976837 Opened 6 months ago Closed 5 months ago

D-Trust: Defective certificate incident reporting form

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: enrico.entschew, Assigned: enrico.entschew)

Details

(Whiteboard: [ca-compliance] [policy-failure])

Preliminary Incident Report

Summary

  • Incident description:
    During an external use of the certificate incident reporting form at https://www.d-trust.net/en/support/reporting-certificate-problem on 2025/07/09, D-TRUST discovered that certain fields—specifically contact information provided by a reporter—were not correctly included in the internal email notifications sent to the incident response team. This error only occurs if a certain number of characters is exceeded in a form field. This issue affects only the internal handling of incoming form data and does not impact the availability of the form.
    In this specific case, on 2025/07/09, the team was unable to contact a reporter because their contact information was cut off. Nevertheless, all information related to their incident report was duly transmitted to the incident team and processed according to the established regular procedures.
    We are investigating the issue.

  • Relevant policies:

    • Baseline Requirements v2.1.5, Section 4.9.5 (related to problem report processing)
    • D-TRUST Certificate Policy v5.5, Section 1.5.2

  • Source of incident disclosure:
    Internally discovered by D-TRUST during processing of a reported certificate problem based on the internal email notification.

Assignee: nobody → enrico.entschew
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [policy-failure]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000022
  • Incident description:
    During an external use of the certificate incident reporting form at https://www.d-trust.net/en/support/reporting-certificate-problem on 2025/07/09, D-TRUST discovered that certain fields — specifically contact information provided by a reporter — were not correctly included in the internal email notifications. This behavior only occurs if a certain number of characters is exceeded in the form. This issue affects only the internal handling of incoming form data and does not impact the availability of the form.
    In this specific case, on 2025/07/09, the team was unable to contact the reporter because their contact information was cut off. Nevertheless, all information related to their incident report was duly transmitted to the incident team and processed according to the established regular procedures.
  • Timeline summary:
    • Non-compliance start date: 2024/16/12
    • Non-compliance identified date: 2025/07/09
    • Non-compliance end date: 2025/07/10
  • Relevant policies:
    • Baseline Requirements v2.1.5, Section 4.9.5 (related to problem report processing)
    • D-TRUST Certificate Policy v5.5, Section 1.5.2
  • Source of incident disclosure: Internally discovered by D-TRUST during processing of a reported certificate problem based on the internal email notification.

Impact

  • Total number of certificates: 0
  • Total number of "remaining valid" certificates: 0
  • Affected certificate types: No certificates affected
  • Incident heuristic: No certificates affected
  • Was issuance stopped in response to this incident, and why or why not?: No, this issue did not affect any certificates.
  • Analysis: NA
  • Additional considerations:

Timeline

All time info in UTC.
2024/10/09:
Requirements for the development of the web form were finalized.

2024/10/14:
Requirements for the development of the web form were sent to the service provider.

2024/11/12:
Prerelease of web form was tested and results were evaluated.

2024/12/16:
New web form for incident reports was released.

2025/07/09:
04:44 Email notification from web form was received.
06:00 Incident investigation regarding the content of the incident report started.
06:30 Incident response team confirmed that there was no incident regarding the content of the incident report itself.
07:20 Support team discovered that the contact information was not correctly included in the internal email notification sent.
07:30 Incident response team started investigating the "truncated email" issue.
07:40 Incident response team started to run different tests on the web form, which prove that the web form itself was not defective but info could get cut off in the notification email.
08:30 Incident response team confirmed that the issue was permanent and not a one-time occurrence.
09:55 D-Trust opened a support ticket after notifying the service provider.
10:30 Service provider started investigating the issue.

2025/07/10
07:30 Root cause for “truncated email” was identified.
11:00 Size limitation when generating the internal notification email was adjusted.

2025/07/11
16:15 Extensive testing of web form was completed.

2025/07/21
09:00 It was decided that a separate “Definition of done” status must be specified for each request to the web form.

2025/07/22
12:00 The investigation ended. Incident response team started to work on the final report.

Related Incidents

Bug Date Description
None x x

Root Cause Analysis

Contributing Factor 1 #: The contents of the web form for certificate incident reports could not be fully transmitted internally

  • Description: D-Trust received a certificate incident report via the certificate incident reporting web form at https://www.d-trust.net/en/support/reporting-certificate-problem on 2025/07/09. Due to a size limitation in one form field, when generating the internal notification email, the content of the web form was not completely transferred to the notification. The contact information of the reporter was missing so that D-Trust was unable to contact the reporter. The size limitation was originally chosen to avoid DoS attacks.
    The size limitation was not detected because there were no clear requirements regarding the content size of the possible total message. For this reason, a standard variable was used during development. Due to the lack of content size requirements, the subsequent test did not test this either. The error was still not noticed, as only the basic functionality was tested and the character sizes used were limited.
  • Timeline: 2024/12/16 - 2025/07/10
  • Detection: The possibility of incomplete content transmission of the web form was not detected before, as too little data had been entered in the “Reason for revocation” field during testing. Until the current incident, the limit was also not reached for data previously transmitted via this form.
  • Interaction with other factors: Requirements for the web form for certificate incident reports were not complete
  • Root Cause Analysis methodology used: 5 Whys

Contributing Factor 2 #: Requirements for the web form for certificate incident reports were not complete

  • Description: D-Trust decided to replace the previous procedure for reporting a certificate incident via a PDF form sent by e-mail with a web form. The size limitation of one form field of the web form, “Reason for revocation”, was not defined in the requirements for the service provider. This was overlooked in the multi-eye pair principle.
  • Timeline: 2024/11/12 – 2024/12/16
  • Detection: Since the error with the truncated email had not occurred by the time of the incident, there was no need to investigate the original definition process of the requirements for the web form.
  • Interaction with other factors: The contents of the web form for certificate incident reports could not be fully transmitted internally
  • Root Cause Analysis methodology used: 5 Whys

Lessons Learned

  • What went well:

    • The issue was quickly identified due to the established procedures for processing certificate incident reports.
    • Communication between the teams (incident management, support team, compliance team, service provider etc.) was smooth and enabled a quick resolution.
    • A permanent fix was implemented within one day, which prevents recurrence.

  • What didn’t go well:

    • The web form allowed entries that exceeded the limit supported when generating the internal email notification and this fact was not detected during testing of the web form in 2024.
    • The issue was only discovered reactively—after it had already affected a real submission.
    • We underestimated the effort required to define the specification for the web form and also underestimated the impact that an incomplete definition would have on the development and on the testing of the form.

  • Where we got lucky:

    • The problem was discovered by submitting form content. However, the content was sufficient to successfully process the reported issue internally.
    • The error only occurred if a lot of data was entered in the web form. The web form itself was always available, so that D-Trust could receive reports from users at all times.

  • Additional:

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
We adjusted the size limitation for the internal email notification. Prevent Root Cause # 1 The form is tested with defined test data of different sizes. 2025-07-10 Completed
We revised the procedure to release requirements for the web form to report certificate incidents. Prevent Root Cause # 2 A separate “Definition of done” status must be released for each requirement. 2025-07-21 Completed

Appendix

There is nothing new to report, we are preparing the Closure Report.

Closure Report

Report Closure Summary

  • Incident description: We received a certificate incident report on July 9th 2025 via our implemented web form at https://www.d-trust.net/en/support/reporting-certificate-problem, D-TRUST discovered that certain text fields — specifically contact information provided by the reporter — were not correctly included and transferred for the internal email notifications. This behavior only occurs if a certain number of characters is exceeded in the text field of the web form. This issue affects only the internal handling of incoming web form data and does not impact the availability of the form.
    In this specific case, on July 9th 2025, our incident team was unable to contact the reporter because their contact information was cut off. Nevertheless, all technical information related to this specific incident report was duly transmitted to the incident team and processed according to the established regular procedures.

  • Incident Root Cause(s): The web form requirements did not include detailed specifications for the maximum input size for certain text fields, leading to insufficient testing if the number of characters exceeds certain boundaries.

  • Remediation description: As immediate measure the size limitation for internal email notifications was adjusted on July 10th 2025, which prevents the issue from reoccurring. The web form was thoroughly retested using inputs of various lengths to confirm the issue no longer occurs. The requirements engineering process was revised and detailed on July 21th 2025 to ensure long term stability and strengthen our processes, even for the development of simple web forms through external partners.

  • Commitment summary: To support continuous improvement, D-Trust commits to applying lessons learned from this incident to the development of future web-based input systems. This includes incorporating early reviews of requirements for external partners and appropriate testing as a standard part of QA processes.

All Action Items disclosed in this report have been completed as described, and we request its closure.

Flags: needinfo?(incident-reporting)

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2025-08-18.

Whiteboard: [ca-compliance] [policy-failure] → [close on 2025-08-18] [ca-compliance] [policy-failure]
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Flags: needinfo?(incident-reporting)
Resolution: --- → FIXED
Whiteboard: [close on 2025-08-18] [ca-compliance] [policy-failure] → [ca-compliance] [policy-failure]
You need to log in before you can comment on or make changes to this bug.