Open Bug 1985816 Opened 4 months ago Updated 5 days ago

PKIoverheid: TSP Cleverbase Findings in 2025 ETSI Audit - Incident Report #1 – Incorrect issuer CA listed in CPS

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: pkioverheid, Assigned: pkioverheid)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000068

  • Incident description:
    During the annual audit for CA Cleverbase ID B.V. (a PKIoverheid subCA) a minor non-conformity was registered with regards to the contents of the CPS of Cleverbase.
    The Cleverbase CPS which was in force at the time of the audit (Version 2.0 as of 02-04-2025) gave an overview over the PKIoverheid G3 and G4 PKI hierarchies in section “1.1 Overview”. In this overview the root and intermediate CA for the G4 hierarchy were named “Staat der Nederlanden - G4 Root Priv G-Other – 2024” and “Staat der Nederlanden - G4 Intm Priv G-Other NP – 2024”.
    However, the G4 CA certificate for Cleverbase was issued by the “Staat der Nederlanden - G4 Intm EUTL G-Sigs NP – 2024” CA, hence the correct naming for the root and intermediate CA is “Staat der Nederlanden - G4 Root EUTL G-Sigs – 2024” and “Staat der Nederlanden - G4 Intm EUTL G-Sigs NP – 2024”.
    Since the issued certificate for the issuing-CA “Cleverbase ID - G4 PKIo EUTL G-Sigs NP – 2024” shows the correct issuer-CN (“Staat der Nederlanden - G4 Intm EUTL G-Sigs NP– 2024”), this was just an minor error in the CPS and this issue was fixed in the next CPS update.

  • Timeline summary:

    • Non-compliance start date:
    • 02-03-2025
    • Non-compliance identified date:
    • 02-04-2025
    • Non-compliance end date:
    • 02-06-2025

  • Relevant policies:
    Certification Practice Statement Cleverbase ID B.V.

  • Source of incident disclosure:
    Conformity Assessment Report/Audit Attestation Letter Cleverbase ID B.V.

Impact

  • Total number of certificates:
    N/A

  • Total number of "remaining valid" certificates:
    N/A

  • Affected certificate types:
    N/A

  • Incident heuristic:
    N/A

  • Was issuance stopped in response to this incident, and why or why not?:
    No. No certificates had been issued under this TSP intermediate certificate yet (CA certificate was not in use yet)

  • Analysis:
    N/A

  • Additional considerations:
    Cleverbase has never issued S/MIME certificates but operates a subordinate CA which is S/MIME capable due to the fact that PKIoverheid TSP CA certificate profiles were created in the past with the S/MIME EKU (emailProtection) in mind for legacy compatibility issues with certain software suites (signing applications)

Timeline

See contributing factor 1

Related Incidents

N/A

Root Cause Analysis

A new CPS version needed to be created to incorporate all the changes that were expected for the new G4 CA certificate. Changes to the Cleverbase CPS are normally not frequent and/or large in scope, which makes reviewing and publishing the changes for the new version quite controlled and orderly.
Since these new changes contained details for issuing new type of certificates (G4) which features major changes in design compared to the previous G3 hierarchy, the choice was made to bundle all small changes to the CPS in one big release (2.0). This includes a significant amount of very specific detailed changes that resulted in a complex change. Making this amount of detailed changes by hand is error prone and the large amount of changes also makes catching errors in the review process harder.
Ultimately the mentioned error slipped through and made its way to production.

Contributing Factor 1: Human error

  • Description:
    As preparation for setting up a new CA under a new government intermediate and root a draft CPS was created.
    This draft CPS included a substantial amount of changes to accompany the release of this new CA (Profiles, status information, etc.)
    During the creation and review of the CPS by a second pair of eyes the error in the hierarchy was not noticed.

  • Timeline:
    26-2-2025: Draft CPS was created and reviewed. The error went unnoticed.
    2-3-2025: A draft CPS was sent as audit documentation to the CAB.
    2-4-2025: The CAB found the minor non-conformity during the audit.
    2-6-2025: A new CPS version including the fix for the minor non-conformity was published.

  • Detection:
    The CAB inspected our CPS, finding it stated the wrong intermediate root in the hierarchy for the issuer certificate that was being audited.

  • Interaction with other factors:
    NA

  • Root Cause Analysis methodology used:
    5 Whys

Lessons Learned

  • What went well:
    • Substantial amount of changes to our CPS were succesfully released
    • The error was contained and fixed in a timely manner
  • What didn’t go well:
    • The review on the CPS was not thorough enough to catch the error.
  • Where we got lucky:
    • The error had no impact on any certificates or running operations
  • Additional:
    • NA

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
A mandatory review checklist for critical parts of the CPS will be incorporated in the change and release process for CPS updates. Prevent Root Cause # 1 Review Checklist must include all critical fields of CPS and be approved by the Compliance Officer 2025-05-21 Done
Analysis of technical measures to prevent human errors in critical parts of the CPS Prevent Root Cause # 1 Report with decision regarding technical measures 2026-04-14 To do

Appendix

Assignee: nobody → pkioverheid
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

PKIoverheid is monitoring this bug and we're open for additional questions or remarks people might have. Currently we don't have any updates with regards to the Action Items.

PKIoverheid is monitoring this bug and we're open for additional questions or remarks people might have. Currently we don't have any updates with regards to the Action Items.

This report has gone stale.

You may request a next update that's beyond the normal weekly cadence but, absent that being accepted, you are required to provide an update on a weekly basis.

All action items have been completed. A closure statement will be posted shortly.

This report has gone stale. If it is ready for closure, please file a Closure Report.

Flags: needinfo?(pkioverheid)

Comment 4 falsely claimed all action items had been completed. Statements regarding another incident got mixed-up with this one resulting in posting in the wrong bug. Action item #2 is still ongoing and its due date remains 2026-04-14.

Flags: needinfo?(pkioverheid)
You need to log in before you can comment on or make changes to this bug.