← Asseco Data Systems S.A. cases
Bugzilla #1935393
Policy Compliance
Asseco DS / Certum: Failure to Update Policy Documents within 365 Days
RESOLVED
FIXED
Asseco Data Systems S.A.
AI Summary
Asseco Data Systems S.A. (Certum) failed to update its Certification Policy within the required 365 days, as mandated by the Baseline Requirements and Mozilla Root Store Policy. The issue was identified during a routine review of the CCADB, where it was discovered that the current policy was outdated. Although the incident did not affect certificate issuance, it highlighted gaps in internal procedures and reliance on individual methods for document updates. Certum has since revised its procedures, created an internal tracking system, and implemented a script to monitor policy updates, ensuring compliance moving forward.
Chronology
- Certum Certification Policy v.5.0 was published.
- Policy review identified outdated Certification Policy.
- Incident reported on Bugzilla.
- Certification Policy v.5.1 was released.
- Procedure for documentation update was revised.
- Implementation of tracking script completed.
- Incident report closure summary provided.
Participants
Kateryna Aleksieieva
External References
Similar Local Cases
Asseco DS / Certum: Use of forbidden subjectPublicKeyInfo algorithm
Asseco DS / Certum: CPS does not refer to BR domain validation methods
Asseco DS / Certum: Cross-Signed non-EV-audited root with an EV-enabled root
SECOM: Failed an annual CPS update of Cybertrust Japan (CTJ)
Microsoft PKI Services: Failure to modify policy documents within 365 days
Microsoft PKI Services: Policy Documentation, Failure to update Subscriber Certificate Max Validity Period
IdenTrust: Failure to disclose Unconstrained intermediate Within 7 Days
IdenTrust: Full Incident Report for bug 2016585 was not published within 14 days of discovering the issue