- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
We received an email from Jonathan Rudenberg on 1/29/2019 at 17.53 GMT.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
On 1/29/2019, we contacted the customers involved to inform of the issue and request accelerated replacement/revocation. On the morning of 2/4/2019, remaining certificates were revoked.
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
The practice of issuing ipaddress in dnsname was halted in March 2018, but a decision was made to allow then existing certificates to expire naturally. At that time large numbers of similar certificates from many CAs were in use across the trusted SSL ecosystem.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
A review on 2/4/2019 has found additional certificates (<10) with the same issue. Efforts are underway to contact customers to replace and revoke these. This bug will be updated at that time.
- The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
Improvements were made to our certificate management system, without revoking previously issued certificates, particularly as understanding of the BR evolved through industry discussion.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
The issue was resolved in early 2018; these certificates are stragglers.