Open Bug 1990277 Opened 4 months ago Updated 3 months ago

SwissSign: recommendation on CA-specific risk assessment

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: sandy.balzer, Assigned: sandy.balzer)

Details

(Whiteboard: [ca-compliance] [audit-finding] Next update 2026-04-30)

Preliminary Incident Report

Summary

  • Incident description: The audit report contains a recommendation regarding the improvement of SwissSign’s risk assessment process to better assess risks specific to certification authority related operations.

  • Relevant policies: CA/B-F TLS BR, 5

  • Source of incident disclosure: Audit

Assignee: nobody → sandy.balzer
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000049
  • Incident description: The audit report contains a recommendation regarding the improvement of SwissSign’s risk assessment process to better assess risks specific to certification authority related operations.
  • Timeline summary:
    • Non-compliance start date: N/A (audit recommendation and not non-compliance)
    • Non-compliance identified date: N/A (audit recommendation and not non-compliance)
    • Non-compliance end date: N/A (audit recommendation and not non-compliance)
  • Relevant policies: CA/B-F TLS BR, 5
  • Source of incident disclosure: Audit

Impact

  • Total number of certificates: N/A
  • Total number of "remaining valid" certificates: N/A
  • Affected certificate types: N/A
  • Incident heuristic: N/A
  • Was issuance stopped in response to this incident, and why or why not?: Certificate issuance was not halted, as certificate issuance was not impacted.
  • Analysis: N/A
  • Additional considerations: SwissSign conducts risk assessments as required per regulation. The risk assessments are asset based, meaning that for each asset in scope, the risk is evaluated and mitigation measures, risk avoidance, transfer or acceptance are defined, documented and regularly reviewed.

Timeline

  • 12.09.2025 Audit report containing this recommendation published

Related Incidents

none found

Root Cause Analysis

Contributing Factor #1:

  • Description: Auditors recommend to also consider process/operations based risks (i.e. end-to-end view of a process to determine the process risk).
  • Timeline: N/A
  • Detection: Audit
  • Interaction with other factors: N/A
  • Root Cause Analysis methodology used: N/A

Lessons Learned

  • What went well: N/A
  • What didn’t go well: N/A
  • Where we got lucky: N/A
  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Perform process/operations risk assessment for CA related processes and operations Prevent Root Cause # 1 Risk assessments documented 2026-04-30 In progress

Appendix

N/A

We're monitoring this Bugzilla for Community feedback.

We're monitoring this Bugzilla for Community feedback.

Whiteboard: [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding] Next update 2026-04-30
You need to log in before you can comment on or make changes to this bug.