← Autoridad de Certificación (ANF AC) cases
Bugzilla #2047581 Audit Finding Policy Document Issue Cp Cps Document

ANF AC: 2026 Audit Report Finding 3 out of 3 (CPS missing OCSP/CRL timing-discrepancy documentation)

ASSIGNED Autoridad de Certificación (ANF AC)
This summary was auto-generated by AI and revised by me when needed — accuracy improves with each update. Always refer to the official Bugzilla thread as the authoritative source. If you spot an inaccuracy, let me know via the contact form.
AI Summary

This case reports an audit finding from ANF AC’s annual ETSI EN 319 411-1 conformity assessment audit. The audit identified that ANF AC’s CPS (OID 1.3.6.1.4.1.18332.1.9.1.1, version 3.12, dated 2026-03-24) did not document the origin of potential timing differences between OCSP- and CRL-based certificate status checking mechanisms, nor how to interpret status information if temporal discrepancies occur. The finding was treated as a non-conformity against ETSI EN 319 411-1 requirement CSS-6.3.10-09A. ANF AC stated the finding was documentary only and did not affect any issued certificates, OCSP responses, or CRLs. ANF AC became formally aware of the incident on 2026-03-30 and updated the CPS by issuing version 3.13 on 2026-03-30, adding in Section 4.10.1 that in a temporal discrepancy OCSP prevails and both mechanisms are expected to converge. ANF AC also completed a preventive peer review of ETSI requirements transcribed into its GRC system on 2026-05-05.

Model: gpt-5.4-nano Generated: 2026-06-19 19:21 UTC Confidence: 0.78 1 comment
Chronology
  1. CPS version 3.12 entered into force without documenting OCSP/CRL timing-discrepancy origin and interpretation.
  2. During the annual ETSI EN 319 411-1 audit, ANF AC was found non-conformant to CSS-6.3.10-09A and updated the CPS by issuing version 3.13.
  3. ANF AC completed a preventive peer review of ETSI requirements transcribed into its GRC system.
Thread Activity
  1. yulier.nunez@anf.es — Posted the full incident report describing the audit finding that the CPS did not document OCSP/CRL timing differences and the corrective CPS update to version 3.13.
Participants
yulier.nunez@anf.es
External References
Original Bugzilla Case
Similar Local Cases
#2047580 ASSIGNED Policy Document Issue Repository Issue Incident Self Reported Incident Opened 2026-06-15 Still Open · 82% similar
ANF AC: 2026 Audit Report Finding 2 out of 3
AI Summary CA Owner
#1970565 RESOLVED Audit Finding Self Reported Incident Opened 2025-06-05 · Closed 2025-07-08 · 59% similar
ANF AC: Finding #2 ETSI Audit - Information security policy not updated on the website
AI Summary CA Owner
#1970567 RESOLVED Audit Finding Opened 2025-06-05 · Closed 2025-07-08 · 59% similar
ANF AC: Finding #4 ETSI Audit - Missing one Revocation circumstance on CPS
AI Summary CA Owner
#1832342 RESOLVED Audit Finding Policy Document Issue Opened 2023-05-10 · Closed 2023-10-12 · 51% similar
Firmaprofesional: 2023 - documentary inconsistency
AI Summary CA Owner
#1771727 RESOLVED Audit Finding Policy Document Issue Opened 2022-05-30 · Closed 2023-02-22 · 48% similar
Firmaprofesional: 2022 - Define Device Obsolescence Process
AI Summary CA Owner
#1973236 RESOLVED Incident Policy Document Issue Self Reported Incident Opened 2025-06-20 · Closed 2025-07-09 · 48% similar
ANF AC: Delayed Disclosure of Updated Policy Documents in CCADB
AI Summary CA Owner
#1596949 RESOLVED Ca Documents Policy Document Issue Self Reported Incident Opened 2019-11-15 · Closed 2023-02-22 · 40% similar
FNMT: CP/CPS lack CAA processing details
AI Summary CA Owner
#1704199 RESOLVED Ca Documents Audit Finding Opened 2021-04-09 · Closed 2023-02-22 · 40% similar
FNMT: Minor non-conformities in 2021 audit statement
AI Summary CA Owner

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action