Closed Bug 2008782 Opened 2 months ago Closed 19 days ago

Chunghwa Telecom: Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #1 - mass certificate revocation plan

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: tmkuo, Assigned: tmkuo)

Details

(Whiteboard: [ca-compliance] [audit-finding] )

Preliminary Incident Report

Summary

  • Incident description: During the audit period, GTLSCA’s mass certificate revocation plan has not been approved, and its content does not fully comply with CAB requirements, for example, activation criteria, targets and timelines.
  • Relevant policies: TLS BR 5.7.1.2 Mass Revocation Plans
  • Source of incident disclosure: Audit
Summary: Chunghwa Telecomm: Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #1 - mass certificate revocation plan → Chunghwa Telecom: Findings in 2025 WebTrust Audit - GTLSCA Audit Incident Report #1 - mass certificate revocation plan
Assignee: nobody → tmkuo
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A006506
  • Incident description: During the audit period, GTLSCA’s mass certificate revocation plan has not been approved, and its content does not fully comply with CAB requirements, for example, activation criteria, targets and timelines. The issue did not arise from an active security breach or certificate compromise, but from insufficient procedural readiness and documentation demonstrating the CA’s ability to execute timely and controlled mass revocation in the event of a CA incident. GTLSCA has clearly defined a complete execution process for large-scale certificate revocation; however, due to the impact of certain drill schedules, the approval and sign-off of the related supporting evidence could not be fully completed within the audit period. Only CA Incident and reporting guide delevoped by GTLSCA team accepted by the auditor.
  • Timeline summary:
    • Non-compliance start date: 2025-08-25
    • Non-compliance identified date: 2025-11-18
    • Non-compliance end date: 2025-11-27
  • Relevant policies: TLS BR 5.7.1.2 Mass Revocation Plans

...
The CA’s mass revocation plan MUST include clearly defined, actionable, and comprehensive procedures designed to ensure rapid, consistent, and reliable response to large-scale certificate revocation scenarios. The CA is not required to publicly disclose its mass revocation plan or procedures but MUST make them available to its auditors upon request. The CA SHALL annually test, review, and update its plan and such procedures. The CA’s mass revocation plan MAY be integrated into the CA’s incident response, business continuity, disaster recovery, or other similar plans or procedures, provided that provisions governing mass revocation events remain clearly identifiable and satisfy these requirements.

  • Source of incident disclosure: Audit

Impact

  • Total number of certificates: N/A
  • Total number of "remaining valid" certificates: N/A
  • Affected certificate types: N/A
  • Incident heuristic:
    (a) Limited evidence of activation criteria, targets and timelines, or drills for mass revocation scenarios.
    (b) Potential risk of delayed response to incidents requiring urgent revocation, as required by TLS BR.
  • Was issuance stopped in response to this incident, and why or why not?: As there were no certificates misissued, issuance was not stopped. However, this CA has already stopped issuing TLS certificates in early March 2025.
  • Analysis:
  • Additional considerations:

Timeline

All times are UTC+8.

2025-07-11 ~ 2025-07-24

  • Simulation exercised and developed the CA Incident and Reporting Guide.

2025-07-24 ~ 2025-08-17

  • Execute the update of relevant procedural documents(known as version 1), including Mass Revocation Planning. (not yet submit for approval)

2025-08-17 ~ 2025-09-09

  • Relevant procedural documents(version 1) has submitted and approved.
    ** Within the audit period, the auditor consider the documents content of version 1 does not fully comply with CAB requirements, for example, activation criteria, targets and timelines.

2025-08-25

  • TLS BR 2.1.8 and Mass Revocation Planning became effective Based on SC-089. [start of the non-compliance]

2025-09-23

  • PMA approved and published the policy documents (i.e., CPS).

2025-11-06

  • Conduct the 1st mass certificate revocation drill (On-site drill).

2025-11-06 ~ 2025-11-10

  • Execute the update of relevant procedural documents(known as version 2), including activation criteria, targets and timelines.

2025-11-10 ~ 2025-11-27

  • Relevant procedural documents(version 2) has submitted and approved.
    ** The content fully complies with the CAB requirements.

2025-11-18

  • 17:00-18:00 GTLSCA Auditing Close Meeting. [Identify of the non-compliance]

2025-11-20

  • 14:00-15:00 Internal meeting discussing the finding received and planning for the improvement Plan. (GTLSCA Team and Root CA Team)

2025-11-21

  • Conduct the second mass certificate revocation drill (On-site drill).

2025-11-27

  • End of the approval routing process. [end of the non-compliance]

Related Incidents

Bug Date Description
[Related Bug ID](Related Bug URL) Date Related Bug was opened A description of how the subject Bug is related to the Bug referenced.

Root Cause Analysis

Contributing Factor 1: Timing and governance gap between operational execution and formal documentation finalization

  • Description: GTLSCA team had already implemented and tested mass certificate revocation procedures through coordinated drills with the Root CA team. However, updates to process documentation triggered by improvements identified during drills required formal revision and multi-level sign-off. Due to internal document control and approval timelines, these revised documents and signatures were not fully completed within the audit period. Consequently, the audit evidence provided did not fully reflect the current and practiced state of readiness, resulting in a perceived discrepancy with TLS BR requirements.
  • Timeline:
    2025-07-11 ~ 2025-07-24: Simulation exercised and developed the CA Incident and Reporting Guide.
    2025-07-24 ~ 2025-08-17: Execute the update of relevant procedural documents(known as version 1)
    2025-08-17 ~ 2025-09-09: Relevant procedural documents(version 1) has submitted and approved.
    ** Within the audit period, the auditor consider the documents content of version 1 does not fully comply with CAB requirements, for example, activation criteria, targets and timelines.
    2025-08-25: TLS BR 2.1.8 and Mass Revocation Planning became effective Based on SC-089.
    2025-11-06: Conduct the 1st mass certificate revocation drill (On-site drill).
    2025-11-06 ~ 2025-11-10: Execute the update of relevant procedural documents(known as version 2), including activation criteria, targets and timelines.
    2025-11-10 ~ 2025-11-27: Relevant procedural documents(version 2) has submitted and initiate the approval routing process.
    ** The content fully complies with the CAB requirements.
    2025-11-18: GTLSCA Auditing Close Meeting.
    2025-11-27: End of the approval routing process.
  • Detection: Findings identified during the annual audit process.
  • Interaction with other factors:
    (a) Audit readiness must align not only with operational capability but also with documented and approved artifacts.
    (b) Change management and document lifecycle planning must incorporate audit timelines to ensure that evidence maturity matches procedural maturity.
  • Root Cause Analysis methodology used:

Lessons Learned

  • What went well: GTLSCA team has developed CA Incident and Reporting Guide.
  • What didn’t go well: Due to internal document control and approval timelines, updates to process documentation were not fully completed within the audit period. In summary, audit readiness requires both operational and documentation maturity.
  • Where we got lucky: N/A
  • Additional:
    (a) Even when incident response processes are actively exercised and effective, incomplete document versioning or pending approvals can lead to audit findings.
    (b) Early identification of documents impacted by drill-driven changes allows for prioritization of approvals critical to compliance validation.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Complete and formalize all mass revocation related procedures and documents Mitigate Root Cause # 1 Ensure all documents undergo full version control and receive required approvals under internal governance. 2025-11-27 Completed
Audit Readiness Alignment Prevent Root Cause # 1 Establish an audit readiness checklist to ensure all required evidence is finalized, approved, and available prior to audit periods. 2026-01-15 Completed
Strengthen document governance and approval timeliness Prevent Root Cause # 1 (a)Introduce prioritization for audit‑critical documents. (b)Improve visibility and tracking of document revision and approval progress. 2026-01-23 Ongoing

Appendix

N/A

The delayed disclosure related to this audit finding, please refer to Bug 2009043.

Chunghwa Telecom is monitoring this bug for comments and questions. We have no new information at the moment.

Action Items Update

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Complete and formalize all mass revocation related procedures and documents Mitigate Root Cause # 1 Ensure all documents undergo full version control and receive required approvals under internal governance. 2025-11-27 Completed
Audit Readiness Alignment Prevent Root Cause # 1 Establish an audit readiness checklist to ensure all required evidence is finalized, approved, and available prior to audit periods. 2026-01-15 Completed
Strengthen document governance and approval timeliness Prevent Root Cause # 1 (a)Introduce prioritization for audit‑critical documents. (b)Improve visibility and tracking of document revision and approval progress. 2026-01-27 Completed

Chunghwa Telecom is monitoring this bug for comments and questions. We have no new information at the moment.

Report Closure Summary

  • Incident description: During the audit period, GTLSCA’s mass certificate revocation plan has not been approved, and its content does not fully comply with the BR requirements, for example, activation criteria, targets and timelines. The issue did not arise from an active security breach or certificate compromise, but from insufficient procedural readiness and documentation demonstrating the CA’s ability to execute timely and controlled mass revocation in the event of a CA incident. GTLSCA has clearly defined a complete execution process for large-scale certificate revocation; however, due to the impact of certain drill schedules, the approval and sign-off of the related supporting evidence could not be fully completed within the audit period. Only CA Incident and reporting guideline developed by GTLSCA team accepted by the auditor.
  • Incident Root Cause(s): Timing and governance gap between operational execution and formal documentation finalization: GTLSCA team had already implemented and tested mass certificate revocation procedures through coordinated drills with the Root CA team. However, updates to process documentation triggered by improvements identified during drills required formal revision and multi-level sign-off. Due to internal document control and approval timelines, these revised documents and signatures were not fully completed within the audit period. Consequently, the audit evidence provided did not fully reflect the current and practiced state of readiness, resulting in a perceived discrepancy with TLS BR requirements.
  • Remediation description:
    (a)Updated Mass Revocation Procedures (Version 2): Fully compliant with TLS BR 5.7.1.2 and was approved on 2025‑11‑27.
    (b)Completion of Mass Revocation Drills: The first drill was conducted on 2025‑11‑06, and the second drill was conducted on 2025‑11‑21.
    (c)Audit Readiness Alignment Checklist: Ensures all audit‑critical documents are finalized before any audit window. (Completed on 2026‑01‑15)
    (d)Document Governance Improvements: Prioritization for audit‑critical documents and improved visibility and tracking in approval workflow. (Completed on 2026‑01‑27)
  • Commitment summary: Chunghwa Telecom had implemented some measures to prevent recurrence. There are no remaining open deliverables for this incident. Chunghwa Telecom will ensure continuous adherence to Web PKI standards.

All Action Items disclosed in this report have been completed as described, and we request its closure.

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2026-02-18.

Whiteboard: [ca-compliance] [audit-finding] → [close on 2026-02-18] [ca-compliance] [audit-finding]
Status: ASSIGNED → RESOLVED
Closed: 19 days ago
Resolution: --- → FIXED
Whiteboard: [close on 2026-02-18] [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.