Open Bug 2013395 Opened 1 month ago Updated 3 days ago

NETLOCK: Missing Related Incidents section in the bug report

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: kaluha.roland, Assigned: kaluha.roland)

Details

(Whiteboard: [ca-compliance] [policy-failure])

Preliminary Incident Report

Summary

  • Incident description: In bug fix 2004699, NETLOCK stated that the “Related Incidents” section is limited to incidents that occurred within NETLOCK’s own operations. However, the CCADB incident reporting guidelines require that “Related incidents should consider incidents beyond those belonging solely to the CA owner that is the subject of the report.” This was clarified through community feedback during the incident investigation.

  • Relevant policies:

    • CCADB Incident Reporting Guidelines – requirements for the “Related Incidents” section, which must take into account incidents beyond the reporting CA’s own incident.
    • Mozilla Root Store Policy – expectations for transparent incident reporting and demonstrable learning from ecosystem-wide incidents.
    • CA/Browser Forum Baseline Requirements – general compliance obligations and ecosystem expectations (with respect to incident handling and reporting).

  • Source of incident disclosure:
    Community feedback and clarification from the Mozilla program within Bugzilla comments related to bug 2004699, including requests to submit a separate incident report regarding deficiencies in IRG compliance and to update the “Related Incidents” section accordingly.

Assignee: nobody → kaluha.roland
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: NETLOCK - Missing Related Incidents section in the bug report → NETLOCK: Missing Related Incidents section in the bug report
Whiteboard: [ca-compliance] [policy-failure]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000039

  • Incident description:
    NETLOCK’s incident report submitted in relation to Bug 2004699 did not fully comply with the CCADB Incident Reporting Guidelines regarding the “Related Incidents” section. Specifically, the report limited the scope of “Related Incidents” to incidents that occurred within NETLOCK’s own operations, whereas the CCADB IRG requires consideration of ecosystem-wide incidents, including those affecting other CA operators, where relevant for root cause understanding and remediation.

    This interpretation was clarified through community feedback in Bugzilla. As a result, this separate incident report addresses the deficiency in IRG compliance and documents corrective actions.

  • Timeline summary:

    • Non-compliance start date: 2025-12-29
    • Non-compliance identified date: 2026-01-12
    • Non-compliance end date: 2026-01-29

  • Relevant policies:

    • CCADB Incident Reporting Guidelines – Requirements for the “Related Incidents” section, including consideration of incidents beyond the reporting CA’s own operations.
    • Mozilla Root Store Policy – Expectations for transparent, complete, and ecosystem-aware incident reporting.
    • CA/Browser Forum Baseline Requirements – General compliance obligations and ecosystem expectations regarding incident handling and reporting.

  • Source of incident disclosure:
    Community feedback and clarification from the Mozilla Root Program within Bugzilla comments related to Bug 2004699, including explicit requests to submit a separate incident report regarding IRG compliance deficiencies and to update the “Related Incidents” section accordingly.

Impact

  • Total number of certificates: 0

  • Total number of "remaining valid" certificates: 0

  • Affected certificate types: None

  • Incident heuristic: Reporting non-compliance (procedural / documentation deficiency)

  • Was issuance stopped in response to this incident, and why or why not?:
    No. The incident concerns documentation and reporting completeness only. No technical or validation defect affecting certificate issuance was identified.

  • Analysis:
    The non-compliance was limited to the scope and interpretation of the “Related Incidents” section in a previously submitted incident report. There was no impact on issued certificates, no mis-issuance, and no degradation of security.

    The impact is therefore limited to transparency and reporting completeness within the Mozilla/CCADB ecosystem. NETLOCK recognizes that incomplete ecosystem analysis can weaken collective learning and reduce the effectiveness of preventive controls, and therefore treats this as a compliance-relevant governance issue.

  • Additional considerations:
    Although this incident did not affect certificates, it impacts the quality and completeness of incident reporting and therefore the level of confidence that relying parties and root programs can place in the CA’s incident handling maturity.

Timeline

  • 2025-12-29 – Full incident report submitted in Bug 2004699.
  • 2026-01-12 – Community members raised concerns regarding the limited interpretation of the “Related Incidents” requirement.
  • 2026-01-21 – Mozilla Root Program clarified expectations that related incidents must include ecosystem-wide incidents, not only those of the reporting CA.
  • 2026-01-28 – Internal review initiated regarding IRG interpretation and incident reporting controls.
  • 2026-01-29 – Separate incident report (this report) submitted to address the identified IRG non-compliance.
  • 2026-01-30 – NETLOCK acknowledged the clarification and confirmed commitment to corrective action.

Related Incidents

Bug Date Description
Bug 2004699 2025-12-29 Original incident report where the “Related Incidents” section was limited to NETLOCK-only incidents, which led to this IRG compliance issue.
Bug 2013395 2026-01-29 Separate incident opened to address IRG non-compliance concerning ecosystem-wide consideration of related incidents.

NETLOCK acknowledges that related incidents must include relevant ecosystem-wide cases where similar failure modes, control weaknesses, or governance deficiencies occurred at other CA operators. NETLOCK considers it essential to systematically review such incidents, analyze their applicability, and, where feasible, adapt lessons learned into its own operational and compliance framework.

Root Cause Analysis

Contributing Factor #1: Narrow interpretation of IRG wording

  • Description:
    Internal interpretation of the “Related Incidents” section focused primarily on incidents within NETLOCK’s operational scope. The broader intent—explicit ecosystem-wide comparative analysis—was not sufficiently embedded into the reporting template or review checklist.
  • Timeline:
    The misinterpretation existed prior to submission of Bug 2004699 and remained until clarified by community feedback.
  • Detection:
    Identified through Mozilla community comments in Bugzilla.
  • Interaction with other factors:
    The absence of a formalized cross-CA incident analysis requirement reinforced the limited interpretation.
  • Root Cause Analysis methodology used:
    5-Why methodology combined with structured compliance gap analysis against CCADB IRG requirements.

Contributing Factor #2: Insufficient formalization of ecosystem learning integration

  • Description:
    Although NETLOCK informally monitors incidents affecting other CA operators, this activity was not formally integrated into the incident reporting control framework. The requirement to explicitly document cross-CA analysis was not mandatory within the workflow.
  • Timeline:
    Ongoing condition prior to this incident.
  • Detection:
    Identified during internal post-feedback compliance review.
  • Interaction with other factors:
    The lack of formal documentation requirements contributed to the narrow reporting scope.
  • Root Cause Analysis methodology used:
    Process mapping and governance control assessment.

Lessons Learned

  • What went well:

    • The issue was identified early through constructive community dialogue.
    • NETLOCK engaged transparently and acknowledged the clarification without disputing uniform compliance obligations.
    • A separate incident report was opened promptly to address the deficiency.

  • What didn’t go well:

    • The IRG requirement was interpreted too narrowly.
    • Ecosystem-wide incident analysis was not systematically embedded in reporting procedures.

  • Where we got lucky:

    • The issue concerned reporting completeness only and did not involve certificate mis-issuance or security impact.

  • Additional:
    NETLOCK fully recognizes the importance of learning not only from its own incidents but also from the experiences of other CA operators. While operational environments may differ, such differences do not justify deviations from uniform compliance requirements. They must instead be explicitly evaluated during root cause analysis to ensure comprehensive and durable remediation.

    NETLOCK will therefore strengthen its internal processes to ensure that ecosystem-wide incidents are systematically reviewed, interpreted, and—where applicable—adapted into its own preventive and detective controls.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Update Incident Reporting Procedure to require documented ecosystem-wide related incident review Prevent Root Cause #1, #2 Updated procedure formally approved and implemented 2026-02-28 In Progress
Introduce mandatory checklist item for “Cross-CA Incident Analysis” specifically covering ecosystem-wide “Related Incidents” identification and documentation in incident reports Prevent Root Cause #1 Checklist integrated into incident reporting workflow and verified during the next incident report review 2026-02-28 In Progress
Conduct internal training on CCADB IRG interpretation and Mozilla expectations Prevent Root Cause #1 Training completed; attendance recorded 2026-03-15 Planned
Perform retrospective review of recent incident reports for IRG completeness Detect Root Cause #2 Documented internal review report 2026-03-31 Planned
Establish quarterly structured review of major ecosystem incidents (cross-CA learning session) Prevent Root Cause #2 First session completed and documented 2026-04-30 Planned

Appendix

N/A

(In reply to Nikolett from comment #1)

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000039

  • Incident description:
    NETLOCK’s incident report submitted in relation to Bug 2004699 did not fully comply with the CCADB Incident Reporting Guidelines regarding the “Related Incidents” section. Specifically, the report limited the scope of “Related Incidents” to incidents that occurred within NETLOCK’s own operations, whereas the CCADB IRG requires consideration of ecosystem-wide incidents, including those affecting other CA operators, where relevant for root cause understanding and remediation.

    This interpretation was clarified through community feedback in Bugzilla. As a result, this separate incident report addresses the deficiency in IRG compliance and documents corrective actions.

  • Timeline summary:

    • Non-compliance start date: 2025-12-29
    • Non-compliance identified date: 2026-01-12
    • Non-compliance end date: 2026-01-29

Are we sure this is the non-compliance end date?

Related Incidents

Bug Date Description
Bug 2004699 2025-12-29 Original incident report where the “Related Incidents” section was limited to NETLOCK-only incidents, which led to this IRG compliance issue.
Bug 2013395 2026-01-29 Separate incident opened to address IRG non-compliance concerning ecosystem-wide consideration of related incidents.

This also occurred in another final incident report filed today: #2013400...

Dear Community Members,

thank you again for your feedback. We appreciate the constructive dialogue, and we believe that reporting our issues transparently — and responding to them openly — helps both the community and NETLOCK improve.
During preparation of our full incident report, we attempted to identify any fully comperable incident filed by other CAs. However, we did not find relevant examples at that time, and therefore we only listed our own related bugs in the “Related Incidents” section.
Regarding the question raised in Comment #2 about whether the non-compliance end date should be later than 2026-01-29: we agree that this requires clarification. While 2026-01-29 reflects the date when this separate incident report was filed and the reporting deficiency was acknowledged, the underlying procedural gap is not yet fully remediated.
The preventive and detective actions listed in the Action Items section have not yet been completed, therefore the non-compliance condition should be considered ongoing until those controls are formally implemented and verified. Our processes are currently being improved and are not yet fully complete.
We will update the incident report accordingly once the corrective actions have been completed.

Dear Community Members,

we are continuing to execute the planned actions in accordance with the established timeline. We will update the incident report accordingly once all corrective actions have been completed.

Dear Community Members,

work on the planned actions is ongoing. We will provide an update once there is relevant progress to report.

Dear Community Members,

NETLOCK provides the following status update on the action items defined in this incident report.
Completed:
The Incident Reporting Procedure has been updated to require documented ecosystem-wide review of related incidents.
A mandatory checklist item for “Cross-CA Incident Analysis” has been integrated into the incident reporting workflow.
In progress:
Internal training on CCADB Incident Reporting Guidelines interpretation and Mozilla Root Program expectations is currently being prepared and scheduled.
Further updates will be provided as additional action items are completed.

Dear Community Members,

during this reporting period, the internal training on CCADB Incident Reporting Guidelines (IRG) interpretation and Mozilla expectations was successfully completed. Participation was documented in accordance with the defined evaluation criteria. Consequently, this action item is now considered fulfilled.

You need to log in before you can comment on or make changes to this bug.