Comment on attachment 9035570 [details]
Pasting the details from this, for folks who have trouble opening the .docx. It appears to have been translated, and I've made slight changes to the format to make it easier to read in Bugzilla.
- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
GCA stars to issue a multi-domain for test server at Jan. 7th,2018 and starts to issue multi-domain certificates at Mar. 23rd, 2018. These certificates contains multiple domains in CN field. Internal staff found this issue at May 7th and fixed this issue at May 10th. The CN field contains only one domain name afterward.
The 88 affected certificates issued between Jan. 7th and May 7th are informed to apply for new certificates. Due to these certificates are used by hundreds of government agencies and their web servers, the apply for new certificates process would take longer than we expect. The subscribers asked for additional time for their process to apply for new certificates and replace the old ones before we revoke these certificates. After the evaluation of the security risk and subscriber's process time, we decided to revoke all affected certificate by Feb. 28, 2019. By Dec. 31 2018, 20.5% of affected certificate are re-issued.
GCA aware this issue by our technicians and fixed the problem at May 10th, but our contact window(Mr. Hung-Yu, Hsu) don’t receive the notice about this bug until Mr. Wayne Thayer mail to him at Jan 5th ,2019. So, we missed the report time. May be there is something wrong with our mail(email@example.com).
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
Jan. 7th 2018: Issue a multi-domain for test server
Mar. 23rd 2018: Start multi-domain certificate service
May 7th 2018: Found this issue and stop multi-domain certificate service
May 10th 2018: Fix this issue and continue multi-domain certificate service
Feb. 28th, 2019: Revoke all certificate containing this issue.
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
The multi-domain certificate service stopped at May 7th, 2018 and the issue was fixed at May 10th, 2018. Number of affected certificates during Jan. 7th to May 7th is 88. These affected certificates will be revoked by Feb. 28, 2019.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
Number of affected certificates during Jan. 7th to May 7th 2018 is 88.
- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
All affected certificates are listed in attachment.
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
The CA starts to issue multi-domain certificates from Jan. 7th 2018, the technicians miss to check the format of multi-domain certificate.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Step.1 Found the issue at May 7th 2018
Step.2 Stopped multi-domain certificate service at May 7th 2018
Step.3 Fix the issue at May 10th 2018
Step.4 Revoke all affected certificates by Feb. 28 2019