Open Bug 1990254 Opened 1 month ago Updated 1 day ago

SwissSign: recommendation on risk assessment

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: sandy.balzer, Assigned: sandy.balzer)

Details

(Whiteboard: [ca-compliance] [audit-finding] Next update 2026-04-30)

Preliminary Incident Report

Summary

  • Incident description: The audit report contains a recommendation regarding the improvement of SwissSign’s risk assessment processes and the tracking of countermeasures.

  • Relevant policies: ETSI EN319 401, REQ 5-04

  • Source of incident disclosure: Audit

Assignee: nobody → sandy.balzer
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000049
  • Incident description: The ETSI audit report for SwissSign contains a recommendation to improve SwissSign’s risk assessment processes and the tracking of countermeasures.
  • Timeline summary:
    • Non-compliance start date: N/A (audit recommendation and not non-compliance)
    • Non-compliance identified date: N/A (audit recommendation and not non-compliance)
    • Non-compliance end date: N/A (audit recommendation and not non-compliance)
  • Relevant policies: ETSI EN319 401, REQ 5-04
  • Source of incident disclosure: Audit

Impact

  • Total number of certificates: N/A
  • Total number of "remaining valid" certificates: N/A
  • Affected certificate types: N/A
  • Incident heuristic: N/A
  • Was issuance stopped in response to this incident, and why or why not?: Certificate issuance was not halted, as certificate issuance was not impacted.
  • Analysis: N/A
  • Additional considerations: N/A

Timeline

• 2025-09-12 Audit report containing this recommendation published

Related Incidents

none found

Root Cause Analysis

Contributing Factor #1: Improvement of risk assessment and countermeasure tracking

  • Description: Risk assessments are being performed, while the documentation and structured tracking of countermeasures do not fully match current best practices of ETSI EN 319 401 §5-04 .
  • Timeline: N/A
  • Detection: Audit
  • Interaction with other factors: N/A
  • Root Cause Analysis methodology used: N/A

Lessons Learned

  • What went well: N/A
  • What didn’t go well: N/A
  • Where we got lucky: N/A
  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Update risk assessment process to match current best practices to ETSI EN 319 401 §5-04 Prevent Root Cause #1 documentation update 2026-04-30 in progress

Appendix

N/A

We're monitoring this Bugzilla for Community feedback.

We're monitoring this Bugzilla for Community feedback.

Can I request that the Next Update field for this and the other SwissSign incident reports be set to the Due Date (e.g. 2026-04-30) listed under Action Items? This would eliminate the need for SwissSign to provide weekly updates, which in turn would reduce the burden for other CAs to read all bugzilla incident report updates.

Thanks,
Jacob

Flags: needinfo?(incident-reporting)

[In response to Comment 4]

That seems like a reasonable course of action. Of course, if SwissSign prefers to continuing offering updates, they are welcome to do so.

We've also recorded an issue to more strongly encourage CA Owners to make nextUpdate recommendations going forward.

Flags: needinfo?(incident-reporting)
Whiteboard: [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding] Next update 2026-04-30
You need to log in before you can comment on or make changes to this bug.