Closed Bug 1983269 Opened 6 months ago Closed 1 month ago

PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #9 – Lifecycle Management

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pkioverheid, Assigned: pkioverheid)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Preliminary Incident Report

Summary

  • Incident Description:
    • Minor Non-conformity: Network Device Lifecycle Management
  • Relevant Policies:
    • ETSI 319 401 (REQ-7.8-02, REQ-7.14.2-13X)
  • Source of incident disclosure:
    • Annual ETSI Audit
Assignee: nobody → pkioverheid
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

Full Incident Report - ETSI Finding #9 - Lifecycle Management

Summary

  • CA Owner CCADB unique ID: A000068

  • Incident description: The CAB noted that lifecycle management for network devices wasn’t effective (e.g. not all assets were up-to-date or were EOL). This was noted down by the CAB as a minor non-conformity.

  • Timeline summary:

    • Non-compliance start date: N/A

    • Non-compliance identified date: 11-Jul-2025.

    • Non-compliance end date: Ongoing.

  • Relevant policies:

    • ETSI EN 319401, REQ-7.8-02: The TSP shall segment its systems into networks or zones based on risk assessment considering functional, logical, and physical (including location) relationship between trustworthy systems and services.

    • ETSI EN 319401, REQ-7.14.2-13X: TSP shall implement specific processes for managing ICT component life cycle and availability and associated security risks.

  • Source of incident disclosure: Finding by CAB during annual ETSI audit.

Impact

  • Total number of certificates: N/A

  • Total number of "remaining valid" certificates: N/A

  • Affected certificate types: N/A

  • Incident heuristic: N/A

  • Was issuance stopped in response to this incident, and why or why not?: N/A (see point below)

  • Analysis: N/A

  • Additional considerations: KPN only operates legacy S/MIME-capable CAs, which have not issued any S/MIME certificates since 1 August 2023. At that time this was changed due to updated S/MIME regulations, under which email addresses and the EKU emailProtection were no longer included in publicly trusted certificates.

  • Incident heuristic: N/A

Timeline

  • 11-Jul-2025: Auditor identifies finding

  • 17-Jul-2025: Created Corrective Action Plan

  • 12-Aug-2025: Corrective Action Plan Approved by auditor

Related Incidents

N/A

Root Cause Analysis

Contributing Factor 1: Network device lifecycle management not effective

  • Description: A limited amount of network switches were not replaced before reaching software end-of-life (EOL) due to a difference in hardware and software EOL. The difference in these 2 dates was overlooked.

  • Timeline: See main timeline.

  • Detection: Audit finding by CAB.

  • Interaction with other factors: No.

  • Root Cause Analysis methodology used: N/A

Lessons Learned

  • What went well: The (hardware) end-of-life devices were timely identified.

  • What didn’t go well: N/A

  • Where we got lucky: No vulnerabilities identified in OSs on end-of-life devices that could not be fixed.

  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Replace switches which have EOL OS versions Mitigate Root Cause #1 Switches replaced 2026-01-11 In progress
Amend the EOL list used in the lifecycle management process by explicitly listing both hardware and OS EOL dates for network devices Prevent Root Cause #1 Both software and hardware 2025-10-11 In progress

Appendix

N/A

In the Action items above an error had occured while pasting the information from internal systems to markdown, so an updated version with the right Evaluation Criteria is provided below. In the meantime, PKIoverheid is monitoring this bug and we're open for additional questions or remarks people might have.

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Replace switches which have EOL OS versions Mitigate Root Cause #1 EOL switches have been replaced, report back 2026-01-11 In progress
Amend the EOL list used in the lifecycle management process by explicitly listing both hardware and OS EOL dates for network devices Prevent Root Cause #1 Both software and hardware EOLs have been registered in the CMDB 2025-10-11 In progress

With regards to this audit finding we currently have to report that action item #2 has been slightly delayed. The work needed to complete this action item turned out to be more than initially foreseen. Action item #1 is still on track for now.

With that, the status of the action items is:

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Replace switches which have EOL OS versions Mitigate Root Cause #1 EOL switches have been replaced, report back 2026-01-11 In progress
Amend the EOL list used in the lifecycle management process by explicitly listing both hardware and OS EOL dates for network devices Prevent Root Cause #1 Both software and hardware EOLs have been registered in the CMDB 2025-10-25 In progress

With regards to this audit finding we have a (small) update. Action item #2 has been completed by KPN. Action item #1 is still in progress and is still within the Due Date. If there are any questions or comments we're monitoring this bug in the meantime. Thanks.

Could you confirm whether the NCSSRs were impacted by this bug and why they weren’t listed under ‘Relevant Policies’?

Hi Dustin, thanks for your reply. The NCSSRs were in scope for this audit (specifically version 2.0.3). The audit criteria under "relevant policies" bullet in this bug were directly taken from the audit report (statement of non-conformity). As to why the CAB didn't include the NCSSRs for this specific finding, we're not exactly sure, so KPN has asked the CAB (BSI) for clarification. This might take a few days. Thanks.

Hi Dustin,

We have gotten a response from BSI (the CAB) regarding the applicability of NetSec in general with regards to this audit finding and together with KPN have made an assessment about the applicability of specific NCCSR requirements. Our questions to BSI and their answer are posted below verbatim accompanied by our our assessment below that.

1. Should NCSSRs be explicitly mentioned in the report for this type of finding?
The audit was conducted as an assertion-based audit, where KPN confirmed compliance with the applicable requirements outlined in the Statement of Applicability and the Overview of Applicability. These requirements include ETSI standards, NCSSRs, and the PKIoverheid Programme of Requirements, among others. For reporting purposes, each non-conformity is referenced against the requirement that most directly addresses the issue. In this case, ETSI EN 319 401 REQ-7.7-01 fully covers the observed condition (unsupported software). Referencing ETSI ensures clarity and consistency in the report, while all applicable criteria were evaluated during the audit.

2. Do you consider this non-conformity a breach of NCSSRs, or is reporting under ETSI sufficient?
The non-conformity also falls under NCSSR obligations (e.g., timely remediation of unsupported components) and PKIOverheid requirements. The audit team reviewed all applicable frameworks as part of the full-scope audit required by, for example, Mozilla Root Store Policy and Microsoft Trusted Root Certificate Program requirements. For reporting purposes, the finding was mapped to ETSI EN 319 401 because it most directly addresses the issue. This does not diminish the relevance of other frameworks, which remain part of the audit scope. In general, a TSP should ensure that any corrective action plan addresses compliance across all obligations.

As to the specific NCCSR criteria applicable to this finding, we’ve concluded that " 4.2 – Vulnerability Management Lifecycle" is applicable in this case. We’ll update this bug accordingly.

As indicated above we’re restating our full incident report to include the applicable criteria from the NCSSRs. This new version also included a new version of the list of action items (since action item 2 has been completed as indicated in comment #4). Everything else is the same as in the original full incident report in comment #1.

Full Incident Report - ETSI Finding #9 - Lifecycle Management

Summary

  • CA Owner CCADB unique ID: A000068

  • Incident description: The CAB noted that lifecycle management for network devices wasn’t effective (e.g. not all assets were up-to-date or were EOL). This was noted down by the CAB as a minor non-conformity.

  • Timeline summary:

    • Non-compliance start date: N/A

    • Non-compliance identified date: 11-Jul-2025.

    • Non-compliance end date: Ongoing.

  • Relevant policies:

    • ETSI EN 319401, REQ-7.8-02: The TSP shall segment its systems into networks or zones based on risk assessment considering functional, logical, and physical (including location) relationship between trustworthy systems and services.

    • ETSI EN 319401, REQ-7.14.2-13X: TSP shall implement specific processes for managing ICT component life cycle and availability and associated security risks.

    • Network and Certificate System Security Requirements section 4.2 – Vulnerability Management Lifecycle: The CA MUST document and follow a vulnerability correction process that includes: 1. identification; 2. review; 3. response; and 4. remediation.

  • Source of incident disclosure: Finding by CAB during annual ETSI audit.

Impact

  • Total number of certificates: N/A

  • Total number of "remaining valid" certificates: N/A

  • Affected certificate types: N/A

  • Incident heuristic: N/A

  • Was issuance stopped in response to this incident, and why or why not?: N/A (see point below)

  • Analysis: N/A

  • Additional considerations: KPN only operates legacy S/MIME-capable CAs, which have not issued any S/MIME certificates since 1 August 2023. At that time this was changed due to updated S/MIME regulations, under which email addresses and the EKU emailProtection were no longer included in publicly trusted certificates.

  • Incident heuristic: N/A

Timeline

  • 11-Jul-2025: Auditor identifies finding

  • 17-Jul-2025: Created Corrective Action Plan

  • 12-Aug-2025: Corrective Action Plan Approved by auditor

Related Incidents

N/A

Root Cause Analysis

Contributing Factor 1: Network device lifecycle management not effective

  • Description: A limited amount of network switches were not replaced before reaching software end-of-life (EOL) due to a difference in hardware and software EOL. The difference in these 2 dates was overlooked.

  • Timeline: See main timeline.

  • Detection: Audit finding by CAB.

  • Interaction with other factors: No.

  • Root Cause Analysis methodology used: N/A

Lessons Learned

  • What went well: The (hardware) end-of-life devices were timely identified.

  • What didn’t go well: N/A

  • Where we got lucky: No vulnerabilities identified in OSs on end-of-life devices that could not be fixed.

  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Replace switches which have EOL OS versions Mitigate Root Cause #1 Switches replaced 2026-01-11 In progress
Amend the EOL list used in the lifecycle management process by explicitly listing both hardware and OS EOL dates for network devices Prevent Root Cause #1 Both software and hardware 2025-10-11 Done

Appendix

N/A

Implementation is on schedule. No further updates.

This report has gone stale. As a reminder, CA Owners may request the “Next update” Whiteboard field be set by a Root Store Operator to align with a specific date related to an open Action Item.

Flags: needinfo?(pkioverheid)

Implementation is on schedule. No further updates.

Flags: needinfo?(pkioverheid)

KPN has reported that action item 1 has been completed last week. With that, all action items have been completed and we'll be posting a closure statement shortly.

Report Closure Summary

  • Incident description: The CAB noted that lifecycle management for network devices wasn’t effective (e.g. not all assets were up-to-date or were EOL). This was noted down by the CAB as a minor non-conformity.

  • Incident Root Cause(s): The application was not included in the target list (logical access review) because it uses the same access card as another application in the same environment. This led to the incorrect assumption that separate reconciliation was unnecessary for this application.

  • Remediation description: KPN has taken several steps to address the identified issues. These included the replacement of the EOL switches and amend the EOL list used in the lifecycle management process by explicitly listing both hardware and OS EOL dates for network devices

  • Commitment summary: KPN commits to periodically evaluating the LCM list of the network devices to ensure hardware is replaced on time in the future.

All Action Items disclosed in this report have been completed as described, and we request its closure.

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2026-01-28.

Flags: needinfo?(incident-reporting)
Whiteboard: [ca-compliance] [audit-finding] → [close on 2026-01-28] [ca-compliance] [audit-finding]
Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Flags: needinfo?(incident-reporting)
Resolution: --- → FIXED
Whiteboard: [close on 2026-01-28] [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.