Because this is a delayed revocation incident, there is heightened scrutiny of your CA and its responses. Please note that according the CCADB Incident reporting Guidelines, reports "SHOULD be updated every 3 days and MUST be updated no less frequently than every 7 days to describe:
the number of certificates that have been revoked;
the number of certificates that have not yet been revoked;
the number of certificates planned for revocation that have expired; and
an estimate for when all remaining revocations will be completed."
The "Timeline" section must include the "time(s) at which the CA Owner is expected to complete revocation of affected certificates" and the "time(s) at which the CA Owner actually completed revocation of affected certificates".
The "Analysis" section must describe "the factors and rationales behind the decision to delay revocation (including detailed and substantiated explanations of how extensive harm would result to third parties–such as essential public services or widely relied-upon systems–and why the situation is exceptionally rare and unavoidable)."
"The Action Items list MUST include steps reasonably calculated to prevent or reduce future revocation delays. Note that it is not sufficient for these action items to simply stop this incident, they MUST create additional protections to prevent future incidents."
Bug 1947691 Comment 10 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Because this is a delayed revocation incident, there is heightened scrutiny of your CA and its responses. Please note that according the CCADB Incident Reporting Guidelines (https://www.ccadb.org/cas/incident-report), reports "SHOULD be updated every 3 days and MUST be updated no less frequently than every 7 days to describe: - the number of certificates that have been revoked; - the number of certificates that have not yet been revoked; - the number of certificates planned for revocation that have expired; and - an estimate for when all remaining revocations will be completed." The "Timeline" section must include the "time(s) at which the CA Owner is expected to complete revocation of affected certificates" **and** the "time(s) at which the CA Owner actually completed revocation of affected certificates". The "Analysis" section must describe "the factors and rationales behind the decision to delay revocation (including detailed and substantiated explanations of how extensive harm would result to third parties–such as essential public services or widely relied-upon systems–and why the situation is exceptionally rare and unavoidable)." "The Action Items list MUST include steps reasonably calculated to prevent or reduce future revocation delays. Note that it is not sufficient for these action items to simply stop this incident, they MUST create additional protections to prevent future incidents."