Closed
Bug 1983262
Opened 7 months ago
Closed 4 months ago
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #2 – Compliance Management
Categories
(CA Program :: CA Certificate Compliance, task)
CA Program
CA Certificate Compliance
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: pkioverheid, Assigned: pkioverheid)
Details
(Whiteboard: [ca-compliance] [audit-finding])
Preliminary Incident Report
Summary
- Incident Description:
- Minor Non-conformity: Compliance Management of ETSI EN 319 401 v3.1.1
- Relevant Policies:
- ETSI EN 319 401 (REQ-7.1.1-01, REQ-7.13-02)
- Source of incident disclosure:
- Annual ETSI Audit
|
||
Updated•7 months ago
|
Assignee: nobody → pkioverheid
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]
|
Assignee | |
Comment 1•7 months ago
|
||
Full Incident Report - ETSI Finding #2
Summary
- CA Owner CCADB unique ID: A000068
- Incident description: The CAB noted that full compliance with the new ETSI EN 319 401 v.3.1.1 and NIS2 requirements wasn’t in place yet at the moment at the moment of the audit visit. This was noted down as a minor non-conformity.
- Timeline summary:
- Non-compliance start date: 28-Feb-2025
- Non-compliance identified date: 11-Jul-2025
- Non-compliance end date: Ongoing
- Relevant policies:
- ETSI EN 319 401 REQ-7.1.1-01: The TSP organization shall be reliable.
- ETSI EN 319 401 REQ7.13-02: The TSP shall provide evidence on how it meets the applicable legal requirements.
- Source of incident disclosure: Finding by CAB during annual ETSI audit.
Impact
- Total number of certificates: N/A
- Total number of "remaining valid" certificates: N/A
- Affected certificate types: N/A
- Incident heuristic: N/A
- Was issuance stopped in response to this incident, and why or why not?: N/A (see point below)
- Analysis: N/A
- Additional considerations: KPN only operates legacy S/MIME-capable CAs, which have not issued any S/MIME certificates since 1 August 2023. At that time this was changed due to updated S/MIME regulations, under which email addresses and the EKU
emailProtectionwere no longer included in publicly trusted certificates.
Timeline
- 28-Feb-2025: Effective date of version 3.1.1 of ETSI EN 319 401 which included updated and new requirements.
- Q1/Q2-2025: Internal validation was conducted to confirm that implemented changes addressed the gaps effectively. The result was that not all new requirements had been implemented fully but this wasn’t followed up correctly.
- 11-Jul-2025: CAB identifies finding.
- 17-Jul-2025: KPN created a Corrective Action Plan to remediate the audit finding.
- Jul-2025: Additional gap analyses was performed on remaining new requirements.
- 12-Aug-2025: Corrective Action Plan Approved by auditor.
Related Incidents
| Bug | Date | Description |
|---|---|---|
| 1983271 | 15-Aug-2025 | Similar root cause. |
| 1983273 | 15-Aug-2025 | similar root cause. |
| 1983274 | 15-Aug-2025 | similar root cause. |
Root Cause Analysis
Contributing Factor 1: Compliance management not fully effective
- Description: Not all requirements were implemented in time, as the changes were not fully tracked or prioritized during the transition period, because there was no structured process in place to monitor updates. Responsibility for tracking and prioritizing these changes was not clearly assigned, which contributed to delays in implementation.
- Timeline: See main timeline.
- Detection: Audit finding by CAB.
- Interaction with other factors: No
- Root Cause Analysis methodology used: N/A
Lessons Learned
- What went well: N/A
- What didn’t go well: N/A
- Where we got lucky: N/A
- Additional: N/A
Action Items
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Execute gap analyses and implement remaining requirements | Mitigate | Root Cause #1 | Identify any deficiencies and report to management | 2025-10-11 | Ongoing |
| Improve the structured process for tracking and implementing new requirements, including deadlines, periodic reviews and timely escalation to management. This includes assigning responsible persons for monitoring changes and integrating updates into operational procedures. | Prevent | Root Cause #1 | Design and document process | 2025-10-11 | Ongoing |
| Discuss compliance requirements and the necessary resources in a recurring meeting with management. | Detect | Root Cause #1 | recurring meeting has taken place (and results recorded) at least twice | 2025-10-11 | Completed |
Appendix
N/A
|
|
Assignee | |
Comment 2•7 months ago
|
||
PKIoverheid is monitoring this bug and we're open for additional questions or remarks people might have. Currently we don't have any updates with regards to the Action Items.
|
|
Assignee | |
Comment 3•6 months ago
|
||
With regards to the Action items we would like to provide an update. For item 1 the gap analysis has been executed and implementation of the remaining requirements has been completed as well. Action item 2 has also been completed, said process has been implemented. Action item 3 is in place as well. With that, the current status is:
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Execute gap analyses and implement remaining requirements | Mitigate | Root Cause #1 | Identify any deficiencies and report to management | 2025-10-11 | Completed |
| Improve the structured process for tracking and implementing new requirements, including deadlines, periodic reviews and timely escalation to management. This includes assigning responsible persons for monitoring changes and integrating updates into operational procedures. | Prevent | Root Cause #1 | Design and document process | 2025-10-11 | Completed |
| Discuss compliance requirements and the necessary resources in a recurring meeting with management. | Detect | Root Cause #1 | recurring meeting has taken place (and results recorded) at least twice | 2025-10-11 | Completed |
|
|
Assignee | |
Comment 4•4 months ago
|
||
Report Closure Summary
- Incident description: The CAB noted during the annual ETSI EN 319 411-1 audit for the PKIoverheid KPN TSP subCA that full compliance with the new ETSI EN 319 401 v.3.1.1 and NIS2 requirements wasn’t in place yet at the moment at the moment of the audit visit.
- Incident Root Cause(s): There was no structured process in place to accurately track the status of upcoming changes in standards. Responsibility and prioritization of these changes was not clearly assigned which caused delays in implementation.
- Remediation description: KPN has implemented both a structured process for tracking and implementation of new (compliance) changes with clearly defined roles and responsibilities. Also period meeting with management about compliance requirements and resources have been scheduled and performed.
- Commitment summary: KPN commits to maintaining a structured and proactive approach to compliance tracking. In addition to the implemented process and management reviews, KPN will regularly evaluate and refine its procedures to ensure timely identification, prioritization, and implementation of future standard changes.
All Action Items disclosed in this report have been completed as described, and we request its closure.
|
|
||
Comment 5•4 months ago
|
||
This is a final call for comments or questions on this Incident Report.
Otherwise, it will be closed on approximately 2025-11-19.
Flags: needinfo?(incident-reporting)
Whiteboard: [ca-compliance] [audit-finding] → [close on 2025-11-19] [ca-compliance] [audit-finding]
|
|
||
Updated•4 months ago
|
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Flags: needinfo?(incident-reporting)
Resolution: --- → FIXED
Whiteboard: [close on 2025-11-19] [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding]
You need to log in
before you can comment on or make changes to this bug.
Description
•