Open
Bug 1990285
Opened 3 months ago
Updated 2 months ago
SwissSign: recommendation on log review process
Categories
(CA Program :: CA Certificate Compliance, task)
CA Program
CA Certificate Compliance
Tracking
(Not tracked)
ASSIGNED
People
(Reporter: sandy.balzer, Assigned: sandy.balzer)
Details
(Whiteboard: [ca-compliance] [audit-finding] Next update 2026-04-30)
Preliminary Incident Report
Summary
-
Incident description: The audit report contains a recommendation regarding the improvement of SwissSign’s review process of its logs.
-
Relevant policies: CA/B-F NetSec, 3.1.2
-
Source of incident disclosure: Audit
|
||
Updated•3 months ago
|
Assignee: nobody → sandy.balzer
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]
|
Assignee | |
Comment 1•3 months ago
|
||
Full Incident Report
Summary
- CA Owner CCADB unique ID: A000049
- Incident description: The audit report contains a recommendation regarding the improvement of SwissSign’s review process of its logs.
- Timeline summary:
- Non-compliance start date: N/A (audit recommendation and not non-compliance)
- Non-compliance identified date: N/A (audit recommendation and not non-compliance)
- Non-compliance end date: N/A (audit recommendation and not non-compliance)
- Relevant policies: CA/B-F NetSec, 3.1.2
- Source of incident disclosure: Audit
Impact
- Total number of certificates: N/A
- Total number of "remaining valid" certificates: N/A
- Affected certificate types: N/A
- Incident heuristic: N/A
- Was issuance stopped in response to this incident, and why or why not?: Certificate issuance was not halted, as certificate issuance was not impacted.
- Analysis: N/A
- Additional considerations: SwissSign is in the process of offering new services under eIDAS regulation. The eIDAS implementing act of the country where SwissSign strives to be accredited (Austria) demand a log archival period of 30 years. Current archival processes consider retention periods of up to 11 years.
Timeline
- 12.09.2025 Audit report containing this recommendation published
Related Incidents
none found
Root Cause Analysis
Contributing Factor #1:
- Description: Auditors recommend to define retention periods up to 30 years to pro-actively cover the requirements of the relevant eIDAS regulation.
- Timeline: N/A
- Detection: Audit
- Interaction with other factors: N/A
- Root Cause Analysis methodology used: N/A
Lessons Learned
- What went well: N/A
- What didn’t go well: N/A
- Where we got lucky: N/A
- Additional: N/A
Action Items
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Define and implement 30 year retention period for information governed by eIDAS | Prevent | Root Cause # 1 | New retention period audited | 2026-04-30 | In progress |
Appendix
N/A
|
|
Assignee | |
Comment 2•3 months ago
|
||
We're monitoring this Bugzilla for Community feedback.
|
|
Assignee | |
Comment 3•2 months ago
|
||
We're monitoring this Bugzilla for Community feedback.
|
|
||
Updated•2 months ago
|
Whiteboard: [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding] Next update 2026-04-30
You need to log in
before you can comment on or make changes to this bug.
Description
•