iTrusChina: Failure to Respond to Feb 2026 Chrome Root Program Survey
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: vTrus_contact, Assigned: vTrus_contact)
Details
(Whiteboard: [ca-compliance] [disclosure-failure])
Full Incident Report
Summary
-
CA Owner CCADB unique ID: A006399
-
Incident description: On Mar 3, 2026, iTrusChina was informed by Chrome Root Program Team that it failed to respond to the survey about Chrome Root Policy v1.8 update before the deadline of Feb 26, 2026, which is considered a violation of Chrome Root Policy. The root cause of the incident is that iTrusChina’s new Email Security Gateway wrongly quarantined the Chrome Team’s emails, causing iTrusChina’s POCs’ unawareness of the survey. iTrusChina has responded to the survey and taken measures to avoid the wrong email quarantine by the Gateway.
-
Timeline summary:
- Non-compliance start date: 2026-2-26
- Non-compliance identified date: 2026-3-3
- Non-compliance end date: 2026-3-3
-
Relevant policies: Chrome Root Policy v1.8
-
Source of incident disclosure: Chrome Root Program Team
Impact
-
Total number of certificates: N/A
-
Total number of "remaining valid" certificates: N/A
-
Affected certificate types: N/A
-
Incident heuristic: N/A
-
Was issuance stopped in response to this incident, and why or why not? No, this incident does not involve mis-issuance and has no impact on subscribers.
-
Analysis: N/A
-
Additional considerations: N/A
Timeline (All times are UTC+8)
| Time | Event |
|---|---|
| 2026-2-5 | Chrome Root Program Team sent the first email to iTrusChina’s CCADB Primary POCs, asking CAs to respond to the survey about the Root Policy v1.8. Unfortunately, due to some unknown reasons, we did not receive the first email, and there are no records of the email on our Email Security Gateway and email server. |
| 2026-2-24 & 2026-2-26 | Google CA Program Manager (chrome@ccadb.org) sent iTrusChina two reminder emails, which were quarantined by our new Email Security Gateway due to the potential forged sender. iTrusChina’s POCs did not aware the two reminder emails. |
| 2026-3-3 | Chrome Root Program Team (chrome-root-program@google.com) send an email to notify iTrusChina that it failed to respond to the survey. We received this email and finished the survey, and give a feedback to the Chrome Team the same day. |
| 2026-3-4 | iTrusChina made the plan to adjust the Email Security Gateway’s quarantine rules and established the mechanism to regularly check the quarantined email lists and send notification to receivers to make sure the mis-quarantined emails were timely re-sent. |
Related Incidents
| Bug | Date | Description |
|---|---|---|
| [Bug 1846216] | 2023-9-29 | Disig has a similar incident, which failed to respond to the Jun 2023 Apple Root Program Survey. |
Root Cause Analysis
Contributing Factor #1: Wrong email quarantine by the new Email Security Gateway
-
Description: The root cause of this incident is the new Email Security Gateway’s too strict email quarantine rules for international emails, not a human error of neglecting the Chrome survey. iTrusChina has established a mechanism for regularly checking Root Programmers’ Policy changes and surveys; there are at least two primary POCs regularly in charge of this task. Unfortunately, iTrusChina did not receive Chrome Team’s first survey email because of some unknown reasons, and the latter two Chrome Team’s reminder emails were quarantined by our new Email Security Gateway due to potential forged sender; the POCs did not see the survey emails.
-
Detection: Internal investigation
-
Interaction with other factors: Factor #1 and #2 together caused this incident.
-
Root Cause Analysis methodology used: 5-whys
Contributing Factor #2: Inadequate management of quarantined email lists
-
Description: The new Email Security Gateway is still in testing and improvement phase, iTrusChina lacks adequate management of the emails quarantined by the Email Security Gateway. There is no mechanism to regularly rewiew the re-send the wrong quarantined ones.
-
Timeline: The same as the above timeline.
-
Detection: Internal investigation
-
Interaction with other factors: Factor #1 and #2 together caused this incident.
-
Root Cause Analysis methodology used: 5-whys
Lessons Learned
-
What went well: N/A
-
What didn’t go well: The issue was discovered relatively late; we only realized this issue after external notification.
-
Where we got lucky: N/A
-
Additional: N/A
Action Items
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Adjust the Email Security Gateway to reduce false positive rate | Mitigate | Root Cause # 1 | iTruChina has contacted the Gateway’s supplier and will adjust and constantly improve the Gateway’s quarantine rules and add whitelists to reduce the number of wrong quarantined emails. | 2026-03-6 | In progress |
| Enhance the management of quarantined email lists | Mitigate & Prevent | Root Cause #2 | iTrusChina will establish the mechanism to enhance the management of quarantined email lists, and email receivers will receive email quarantine notification daily. | 2026-03-06 | In progress |
|
||
Updated•8 days ago
|
|
Assignee | |
Comment 1•2 days ago
|
||
iTrusChina is monitoring this bug for comments and questions, all the action items have been finished.
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Adjust the Email Security Gateway to reduce false positive rate | Mitigate | Root Cause # 1 | iTruChina has contacted the Gateway’s supplier and will adjust and constantly improve the Gateway’s quarantine rules and add whitelists to reduce the number of wrong quarantined emails. | 2026-03-6 | Done |
| Enhance the management of quarantined email lists | Mitigate & Prevent | Root Cause #2 | iTrusChina will establish the mechanism to enhance the management of quarantined email lists, and email receivers will receive email quarantine notification daily. | 2026-03-06 | Done |
Description
•