Closed Bug 2001327 Opened 1 month ago Closed 13 days ago

NETLOCK: Missing CDP Disclosure in CCADB

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kaluha.roland, Assigned: kaluha.roland)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

Preliminary Incident Report

Summary

Report received regarding missing CRL Distribution Points disclosure for CA certificate (crt.sh ID 13803124572)

NETLOCK has received an external report indicating that the CA certificate referenced at: https://crt.sh/?id=13803124572 does not have its required CRL Distribution Points disclosed in the CCADB, as expected under CCADB Policy section 6.2.

The reporter noted that this CA is already present in the CCADB and has issued subordinate certificates, but the CRL Distribution Points appear to be missing.

We have initiated an internal investigation to verify the issue and will take further action as needed.

Assignee: nobody → kaluha.roland
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [disclosure-failure]
Summary: NETLOCK CA in CCADB → NETLOCK: Missing CDP Disclosure in CCADB

Update – Completed Analysis of Missing CRL Distribution Points Disclosure for CA Certificate (crt.sh ID 13803124572)

Summary

This update provides the results of NETLOCK’s completed investigation regarding the reported missing CRL Distribution Points (CDP) disclosure for the CA certificate at:
https://crt.sh/?id=13803124572

Our internal analysis confirms that the certificate itself contains a valid CRL Distribution Point extension, but this information was not properly reflected in the CCADB metadata, resulting in the discrepancy noted by the reporter.

Findings

1. Certificate Structure Verification

A detailed review of the CA certificate shows that all required X.509 extensions are present. This confirms that the reported issue does not originate from the certificate content itself.

Although the certificate contains a valid CRL DP extension, the CRL Distribution Points field was not included in the CCADB disclosure record.

This is inconsistent with CCADB Policy §6.2, which requires CA operators to provide accurate and complete CRL and OCSP endpoint information for every intermediate CA.

3. Underlying Cause

The root cause is a disclosure workflow omission, that occured during CCADB submisson for this CA.

No indication was found of a system-level failure or incorrect certificate generation.

Remediation Actions

Immediate Corrective Action

We will submit an updated CCADB record for the affected CA containing the complete CRL Distribution Points information:

The corrected disclosure will be uploaded to CCADB following internal validation.

Preventive Steps

To prevent recurrence, NETLOCK will:

  1. Implement a mandatory disclosure completeness checklist for all CCADB submissions, explicitly verifying CRL DP and AIA endpoint fields.
  2. Review all CA disclosures to confirm no additional metadata inconsistencies.

Next Steps

  • The CCADB metadata update is scheduled.
  • A final closing notice will be provided once the corrected metadata is publicly visible and validated.

NETLOCK remains committed to maintaining full compliance with CCADB requirements and appreciates the external report that brought this discrepancy to our attention.

(In reply to Roland from comment #1)

NETLOCK remains committed to maintaining full compliance with CCADB requirements and appreciates the external report that brought this discrepancy to our attention.

If that is NETLOCK's intention then please read CCADB's Incident Reporting Guidelines. Unless there is a final incident report forthcoming?

Thank you for your message and for the continued guidance.

NETLOCK remains fully committed to meeting all CCADB requirements and expectations. We have completed the analysis of the reported issue; however, the remediation process itself is still ongoing. In response to the question raised in Comment #2, we confirm that NETLOCK will provide a full incident report, which will be shared with the community as soon as the corrective actions are finalized.

As several community members have already emphasized, resolving an incident does not end with correcting the specific error. It also requires system-level consideration and the implementation of appropriate preventive measures to ensure that similar issues cannot reoccur. NETLOCK fully agrees with this approach, and our ongoing work includes both the immediate fix and the necessary long-term improvements.

We continue to view this community as a constructive and collaborative forum. We respect and appreciate the genuine intent to help, and we welcome any supportive insights or suggestions that contribute to improving our processes and compliance.

Please review the CCADB Incident Response Guidelines, particularly the sections on required templates and timelines.

As an example, the Preliminary Incident Report you submitted omitted the required bullets under Summary (“Incident description,” “Relevant policies,” and “Source of incident disclosure”). Including these ensures consistency and completeness across all reports.

Based on the details provided to date, it appears the Final Incident Report is still in progress.

Dear members, we have prepared the corrected preliminary report.

Preliminary Incident Report

Summary

  • Incident description:
    A third party reported that a NETLOCK CA certificate contains CRL Distribution Points (CDP) in the certificate (e.g., crt.sh ID 13803124572), but the corresponding CCADB record did not disclose the CRL Distribution Point(s). NETLOCK has confirmed this is a CCADB disclosure/metadata omission (missing CRL DP disclosure), and is investigating scope and remediation.

  • Relevant policies:
    CCADB Policy §6.2 (as referenced in the Bugzilla report) and the CCADB Incident Reporting Guidelines / templates being followed for this preliminary disclosure.

  • Source of incident disclosure:
    Third Party Reported (external community report filed in Bugzilla).

And and we have prepared the full incident report.

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A011752
  • Incident description:
    A third party reported that a NETLOCK CA certificate contains a CRL Distribution Points (CDP) URI in the certificate, but the corresponding CCADB record did not disclose the CRL Distribution Point(s). NETLOCK confirmed this was a CCADB disclosure/metadata omission caused by human error and a checklist gap, and that no internal tool/control flagged this non-compliance.
  • Timeline summary:
    • Non-compliance start date: 2024-07-11 13:43:00 UTC
    • Non-compliance identified date: 2025-11-20 13:30:00 UTC (converted from 2025-11-20 14:30 CET)
    • Non-compliance end date: Ongoing (records remediation in progress)
  • Relevant policies:
    CCADB policy requirements for CA certificate metadata disclosure (including endpoints such as CRL Distribution Points), and the CCADB incident reporting requirements.
  • Source of incident disclosure:
    Third Party Reported

Impact

  • Total number of certificates: 3 (valid, expired, revoked)
  • Total number of "remaining valid" certificates: 1
  • Affected certificate types:
    Intermediate CA certificate disclosure
  • Incident heuristic:
    CCADB record missing disclosure for endpoint metadata (specifically CRL Distribution Points) that is present in the CA certificate.
  • Was issuance stopped in response to this incident, and why or why not?:
    The CA(s) were not used in production. After issuing the valid/revoked/expired CA certificates, NETLOCK did not use the CA. The non-compliance was discovered when NETLOCK intended to use the CA but had not used it.
  • Analysis:
    The incident is limited to this CA only. Three CA certificates were involved (one currently valid), and the issue is a mismatch between certificate extensions (CDP present) and CCADB disclosure data (CDP not disclosed).

Timeline

  • 2024-07-11 13:43:00 UTC — Non-compliance begins (CA certificate validity start; CCADB disclosure omission exists from this point).
  • 2025-11-20 13:30:00 UTC — Non-compliance detected (reported/identified time converted from 2025-11-20 14:30 CET).
  • Ongoing — Non-compliance end date pending: CCADB record corrections are in progress.

Related Incidents

None. The CA was generated but not used; no related incidents were identified.

Root Cause Analysis

Contributing Factor #1: Human error + checklist gap + missing tooling

  • Description:
    The CRL Distribution Points information was omitted from the CCADB disclosure due to human error and a gap in the disclosure checklist. Additionally, NETLOCK lacked a tool/control that would automatically detect or warn about discrepancies between CA certificate extensions (e.g., CDP) and CCADB-disclosed fields.
  • Timeline:
    Introduced at disclosure time for the CA certificate(s) and persisted until detection.
  • Detection:
    The CA was not used operationally; the issue was discovered by a third party.
  • Root Cause Analysis methodology used:
    5 Whys

Lessons Learned

  • What went well:
    Once identified, NETLOCK initiated a structured review of CCADB reports and implemented recurring checks to eliminate checklist gaps.
  • What didn’t go well:
    The disclosure process allowed omission of required endpoint metadata without automated detection.
  • Where we got lucky:
    The CA was not used, limiting operational impact while remediation actions were implemented.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Collect and analyze all CCADB reports and compare against CA usage status/dates Detect CF#1 Review completed and documented; discrepancies identified 2025-11-27 Done
Introduce a weekly check to eliminate the checklist gap (recurring compliance verification) Prevent/Detect CF#1 Weekly control operating; evidence retained 2025-12-01 Done
Fix CCADB records (complete and correct disclosure fields, including CDP) Correct CF#1 Updated CCADB records published and validated 2025-12-08 Ongoing
Revoke CAs not used Correct/Reduce Risk CF#1 Unused CA certificates revoked and confirmed 2026-01-05 Ongoing

Dear Community Members,

we would like to provide a status update on the action items from our incident report.

  • Fix CCADB records (complete and correct disclosure fields, including CDP): This remediation work is still in progress.
  • Revoke CAs not used: Execution of this item has been scheduled according to our plan and remains on track.

We will post another update once the CCADB record corrections are completed and the revocations have been carried out.

Fix CCADB records (complete and correct disclosure fields, including CDP): This remediation work is still in progress.

As the published due date for this item has now passed, can you propose a new due date, and perhaps a reason for not meeting the original date?

Flags: needinfo?(kaluha.roland)

Dear Community Members,

we would like to provide an update and also respond to the question raised in comment 7.

During our investigation—completed on 2025-12-03—we determined that three additional CA certificates suffer from the same issue previously reported. This means a total of four affected CA certificates. The affected CAs are:

  • NETLOCK TLS DV ECC CA
  • NETLOCK TLS EV ECC CA
  • NETLOCK TLS OV ECC CA
  • NETLOCK TLS Qualified EV ECC CA

As a result, we will revoke all of these CAs and remove them from the CCADB prior to the originally scheduled deadline. The revocation and deletion tasks have now been scheduled to be completed by 2025-12-18.

Following this expanded assessment, we have updated the Action Items section of our full incident report to reflect the revised remediation steps. The updated table is included below.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Collect and analyze all CCADB reports and compare against CA usage status/dates Detect CF#1 Review completed and documented; discrepancies identified 2025-11-27 Done
Introduce a weekly check to eliminate the checklist gap (recurring compliance verification) Prevent/Detect CF#1 Weekly control operating; evidence retained 2025-12-01 Done
Review CA certificates similar to the one referenced in the report Detect/Correct CF#1 All similar CA certificates reviewed; affected ones identified and documented 2025-12-03 Done
Revoke CAs not used Correct/Reduce Risk CF#1 All unused/affected CA certificates revoked and removed from CCADB 2025-12-18 Ongoing

We will continue to provide updates as revocation and CCADB cleanup activities progress, and we will prepare a closure report as the final step.

Flags: needinfo?(kaluha.roland)

Dear Community Members,

we would like to provide a final update following our previous status report.

As planned, the revocation of all four affected CA certificates was successfully completed on 2025-12-18, and the corresponding CA records have been removed from the CCADB. The affected CAs were:

  • NETLOCK TLS DV ECC CA
  • NETLOCK TLS EV ECC CA
  • NETLOCK TLS OV ECC CA
  • NETLOCK TLS Qualified EV ECC CA

With these actions completed, we have updated the Action Items section to reflect the current status, as shown below.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Collect and analyze all CCADB reports and compare against CA usage status/dates Detect CF#1 Review completed and documented; discrepancies identified 2025-11-27 Done
Introduce a weekly check to eliminate the checklist gap (recurring compliance verification) Prevent/Detect CF#1 Weekly control operating; evidence retained 2025-12-01 Done
Review CA certificates similar to the one referenced in the report Detect/Correct CF#1 All similar CA certificates reviewed; affected ones identified and documented 2025-12-03 Done
Revoke CAs not used Correct/Reduce Risk CF#1 All unused/affected CA certificates revoked and removed from CCADB 2025-12-18 Done

With all remediation actions completed, we will now proceed with publishing the Incident Closure Summary as the final step.

Incident Closure Summary

  • Incident description:
    A third party reported that a NETLOCK CA certificate contains CRL Distribution Points (CDP) in the certificate (e.g., crt.sh ID 13803124572), but the corresponding CCADB record did not disclose the CRL Distribution Point(s). NETLOCK confirmed this was a CCADB disclosure/metadata omission (missing CRL DP disclosure), and investigated scope and remediation.

  • Incident Root Cause(s):
    The issue was caused by human error and a checklist gap in the CCADB disclosure workflow, as well as the absence of automated tooling to detect discrepancies between certificate extensions and CCADB-disclosed metadata. These contributed to the omission of required endpoint information from CCADB records.

  • Remediation description:
    NETLOCK conducted a comprehensive review of CA certificates with characteristics similar to the originally reported CA. This review identified a total of four affected CA certificates:

    • NETLOCK TLS DV ECC CA
    • NETLOCK TLS EV ECC CA
    • NETLOCK TLS OV ECC CA
    • NETLOCK TLS Qualified EV ECC CA

    As none of these certificates were used in production, NETLOCK revoked all four affected CA certificates and removed their corresponding records from the CCADB. This action was completed on 2025-12-18. In addition, NETLOCK implemented recurring weekly compliance checks to verify future CCADB disclosures and eliminate the previously identified checklist gap.

  • Commitment summary:
    All action items outlined in the Full Incident Report have been completed:

    1. Review and analysis of CCADB reports against CA usage status — done
    2. Implementation of weekly compliance verification checks — done
    3. Review of CA certificates similar to the one originally referenced — done
    4. Revocation of all unused/affected CA certificates and removal from CCADB — completed on 2025-12-18

NETLOCK considers this incident fully remediated and respectfully requests closure of this incident report.

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2026-01-05.

Whiteboard: [ca-compliance] [disclosure-failure] → [close on 2026-01-05] [ca-compliance] [disclosure-failure]
Status: ASSIGNED → RESOLVED
Closed: 13 days ago
Resolution: --- → FIXED
Whiteboard: [close on 2026-01-05] [ca-compliance] [disclosure-failure] → [ca-compliance] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.