Open Bug 2013805 Opened 1 month ago Updated 8 hours ago

iTrusChina: Finding in Routine WebTrust Audit - Domain validation records without the TLS BR version

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: vTrus_contact, Assigned: vTrus_contact)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Preliminary Incident Report

Summary

  • Incident description: During the 2025 WebTrust annual audit, iTrusChina was notified by the auditor that its Domain validation records lack the TLS Baseline version, which is considered a violation of the requirements of WebTrust for CA – TLS Baseline V 2.9 (Section 4.1) and TLS BRs 3.2.2.4. iTrusChina has stopped the new issuance and is investigating the root causes. We will disclose the Full Incident Report ASAP.
  • Relevant policies: TLS BRs V2.2.2 (Section 3.2.2.4) & WebTrust for CA – TLS Baseline V2.9 (Section 4.1)
  • Source of incident disclosure: Audit
Assignee: nobody → vTrus_contact
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A006399
  • Incident description: During the 2025 routine WebTrust audit, iTrusChina was notified by the auditor that its Domain validation records lack the TLS Baseline version, which is considered a violation of the requirements of WebTrust for CA – TLS Baseline V2.9 (Section 4.1) and TLS BR 3.2.2.4. TLS BR requires “CAs SHALL maintain a record of which domain validation method, including relevant BR version number, they used to validate every domain.”
  • Timeline summary:
    • Non-compliance start date: 2018-7-31
    • Non-compliance identified date: 2026-1-30
    • Non-compliance end date: 2026-2-5
  • Relevant policies: WebTrust for CA – TLS Baseline V2.9 and TLS BRs V2.2.2
  • Source of incident disclosure: Audit

Impact

  • Total number of certificates: N/A
  • Total number of "remaining valid" certificates: N/A
  • Affected certificate types: N/A
  • Incident heuristic: N/A
  • Was issuance stopped in response to this incident, and why or why not?: Yes, following the auditor's advice and to minimise the non-compliance, we stopped the new issuance of TLS certificates and plan to issue new ones after the problem is resolved.
  • Analysis: N/A
  • Additional considerations: N/A

Timeline (All times are UTC+8)

Time Event
2019-7-31 The time that iTrusChina began to conduct the WebTrust audit, and the RA system lacks the function of recording TLS BR version numbers of domain validation
2026-1-30 iTrusChina was notified by the auditor and confirmed the non-compliance, and the new issuance of TLS certificates was stopped.
2026-2-2 The internal departments began root cause analysis and formulated the remediation plan. The compliance team openly disclosed the audit finding in this incident.
2026-2-5 iTrusChina updated the RA system and fixed the problem; all new issuance of TLS certificates will have the corresponding BR version number of every domain validation.

Related Incidents

Bug Date Description
Bug 2008788 2026-1-6 GTLSCA of Chunghwa Telecom has a similar audit finding of domain validation records without the TLS BR version.

Root Cause Analysis

Contributing Factor #1: Inadequate understanding of TLS BR's requirements about the BR version number

  • Description: iTrusChina has established the mechanism of tracking the requirement changes of BRs, root program policies, and Bugzilla incidents. The compliance team regularly (at least quarterly) prepares and shares policy tracking reports and compliance requirements with production, R&D, and verification teams. Unfortunately, our understanding of the BR version number is inadequate; we wrongly thought that the CP/CPS disclosure that iTrusChina adhered to the latest TLS BR and recorded the validation method of each domain in the RA system, meeting the BR requirements.
  • Timeline: The same as the above timeline.
  • Detection: Audit
  • Interaction with other factors: The inadequate understanding (#1) resulted in the absence of a corresponding function design of the RA system (#2).
  • Root Cause Analysis methodology used: 5-whys

Contributing Factor #2:  RA system design flaws caused by the inadequate understanding

  • Description: Due to the inadequate understanding, our RA system and its later updates didn't have the function of recording the corresponding BR version number of every domain validation.
  • Detection: Audit
  • Interaction with other factors: See the above description.
  • Root Cause Analysis methodology used: 5-whys

Lessons Learned

  • What went well: We have noticed the requirement of the BR version number and have taken measures to meet it, though the measures are not sufficient. There are also other similar Bugzilla incidents to help us better understand this event.
  • What didn’t go well: The issue was discovered relatively late, and there were no similar incidents until 2026.
  • Where we got lucky: N/A
  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Update the RA system to record the BR version numbers Mitigate Root Cause # 2 The RA system's function of recording every domain validation's BR version number is deployed on the production environment. Evidences are are provided to the internal and external audit to make sure the new issuance complies with the BR. 2026-02-05 Done
Train relevant staff to improve awareness Prevent Root Cause #1 Train the compliance, verification, production, and other teams to enhance staff‘s understanding of these requirements, make sure the BR version number of the RA system is correctly recorded, and the future system design considers it. 2026-02-03 Done

iTrusChina is monitoring this bug for comments and questions, we will provide more infomation if needed.

iTrusChina is monitoring this bug for comments and questions, thanks.

iTrusChina is monitoring this bug for comments and questions, all the action items have been finished, we will provide more infomation if needed.

iTrusChina is monitoring this bug for comments and questions, thanks.

Please note that following the CCADB Incident Reporting Guidelines updates should be provided weekly, unless a 'next update' date has been set in advance. That is a separate incident to be raised.

When are reports updated?

CA Owners SHOULD respond promptly to comments and questions, and MUST respond within 7 days, even if only to acknowledge the request and provide a timeline for a full response.

If you believe this incident is resolved please submit a closure report.

(In reply to Wayne from comment #6)

Please note that following the CCADB Incident Reporting Guidelines updates should be provided weekly, unless a 'next update' date has been set in advance. That is a separate incident to be raised.

When are reports updated?

CA Owners SHOULD respond promptly to comments and questions, and MUST respond within 7 days, even if only to acknowledge the request and provide a timeline for a full response.

If you believe this incident is resolved please submit a closure report.

Hello Wayne,

Thanks for your comment, iTrusChina monitors the open Bugzilla incidents daily to timely respond to the community’s comments. The following is our Report Closure Summary.

(In reply to Wayne from comment #6)

Please note that following the CCADB Incident Reporting Guidelines updates should be provided weekly, unless a 'next update' date has been set in advance. That is a separate incident to be raised.

When are reports updated?

CA Owners SHOULD respond promptly to comments and questions, and MUST respond within 7 days, even if only to acknowledge the request and provide a timeline for a full response.

If you believe this incident is resolved please submit a closure report.

Hello Wayne,

We have filed a separate incidents Bug 2025248 to disclose the root causes, and we will submit the Report Closure Summary of this incident when it is fully resolved.

You need to log in before you can comment on or make changes to this bug.