Risk Register
:::info Source
Sourced from services/certification-service/SERVICE_RISK_REGISTER.md in the documentation repo.
:::
| ID | Risk | Sev | Impact | Mitigation | Owner |
|---|---|---|---|---|---|
| R-CF-01 | Forged certificate via signing key compromise | S1 | Platform trust destroyed | HSM-backed keys; rotation; audit logs; incident plan | Certification + Security |
| R-CF-02 | Public verify enumeration | S2 | Learner PII exposure via leak | Rate limit; alert; optional CAPTCHA; minimal exposed PII | Certification + Security |
| R-CF-03 | Offline claim forgery | S1 | Unearned certificates | Bundle-key signature; nonce replay; clock-skew bounded | Certification + Content |
| R-CF-04 | Revocation propagation CDN stale | S2 | Revoked cert shows issued | CDN purge on revoke; short TTL; live recheck on click | Certification + SRE |
| R-CF-05 | kid rotation rushed → bundles invalid | S2 | Valid certs fail verify | 2-day overlap mandatory; emergency procedure documented | Certification + Security |
| R-CF-06 | OpenBadges 3.0 spec regression | S3 | Interop failures | Conformance in CI | Certification |
| R-CF-07 | Duplicate issuance race | S3 | Multiple certs per completion | Unique constraint; idempotency; saga | Certification |
| R-CF-08 | GDPR tension: retention vs erasure | S2 | Regulator inquiry | Tenant policy; anonymization; legal review | Compliance + Certification |
| R-CF-09 | Renderer RCE via template layout | S1 | Platform compromise | Sandbox (gVisor); HTML sanitization; no-script; template review | Certification + Security |
| R-CF-10 | Mass revocation abuse by admin | S2 | Learner harm | 4-eyes for > 100 revocations; audit; anomaly detection | Compliance + Certification |
| R-CF-11 | Cross-tenant template reuse | S2 | Branding leak | Tenant-scoped templates; iso tests | Certification |
| R-CF-12 | Artifact URL leak (signed URL in logs) | S3 | Short-window access | Redaction; TTL bounded; artifact re-sign on demand | Platform + Certification |
| R-CF-13 | Indefinite retention storage cost | S3 | Margin | Cold archive after 2 years; tenant-initiated deletion | Certification + Finance |
| R-CF-14 | Verification token collision | S4 | Extremely unlikely (ULID+HMAC) | Fingerprint check rejects collisions; regenerate | Certification |
| R-CF-15 | Wallet-pass signing key rotation | S3 | Wallet passes fail to update | Coordinated with platform release; fallback to PDF | Certification + Platform |
Governance
- Signing key rotation → CTO sign-off.
- Mass revocation (> 100) → compliance officer + admin 4-eyes.
- Quarterly: rotation drill, verify endpoint load test.