Open Bug 1990281 Opened 3 months ago Updated 2 months ago

SwissSign: recommendation on self-assessment tool

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: sandy.balzer, Assigned: sandy.balzer)

Details

(Whiteboard: [ca-compliance] [audit-finding] Next update 2026-04-30)

Preliminary Incident Report

Summary

  • Incident description: The audit report contains a recommendation regarding the improvement of SwissSign’s additional self-developed Self-Assessment Tool to reflect SwissSign-specific certificate content beyond the common linting tools.

  • Relevant policies: CA/B-F TLS BR, 7.1

  • Source of incident disclosure: Audit

Assignee: nobody → sandy.balzer
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000049

  • Incident description: The audit report contains a recommendation regarding the improvement of SwissSign’s additional self-developed Self-Assessment Tool to reflect SwissSign-specific certificate content beyond the common linting tools.

  • Timeline summary:

    • Non-compliance start date: N/A (audit recommendation and not non-compliance)
    • Non-compliance identified date: N/A (audit recommendation and not non-compliance)
    • Non-compliance end date: N/A (audit recommendation and not non-compliance)

  • Relevant policies: CA/B-F TLS BR #7.1, CA/B-F SMIME BR #7.1, CA/B-F TLS Br #8.7 'Self-Audit'

  • Source of incident disclosure: Audit

Impact

  • Total number of certificates: n/a
  • Total number of "remaining valid" certificates: n/a
  • Affected certificate types: n/a
  • Incident heuristic: n/a
  • Was issuance stopped in response to this incident, and why or why not?: Certificate issuance was not halted, as certificate issuance was not impacted.
  • Analysis: n/a
  • Additional considerations: This recommendation concerns the SwissSign's self-audit tool which we use to use for the quarterly self-audit of issued certificates (as defined in CA/B-F TLS BR, 8.7 'Self-Audits'). During the audit the auditors recommended that SwissSign ensures ongoing improvement of SwissSign's certificate self-audit tool by establishing a specific process

Timeline

  • 12.09.2025 Audit report containing this recommendation published

Related Incidents

none found

Root Cause Analysis

Contributing Factor 1: Certificate self-audit tool

  • Description: Currently the further development of the certificate self-audit tool is not established as a process.
  • Timeline: n/a
  • Detection: Audit
  • Interaction with other factors: n/a
  • Root Cause Analysis methodology used: n/a

Lessons Learned

  • What went well: n/a
  • What didn’t go well: n/a
  • Where we got lucky: n/a
  • Additional: n/a

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Define and establish process to update the self-audit tool Prevent Root Cause # 1 process description with criteria, deadlines and responsibilities 2026-04-30 ongoing

Appendix

n/a

We're monitoring this Bugzilla for Community feedback.

We're monitoring this Bugzilla for Community feedback.

Whiteboard: [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding] Next update 2026-04-30
You need to log in before you can comment on or make changes to this bug.