Izenpe posted the following incident report to https://groups.google.com/d/msg/mozilla.dev.security.policy/FyZnXUbrsOI/gtMiRciVFgAJ:
How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
We have controls to detect any misissuance before and after the issuance of the certificate. The certificate was issued at 11:52, detected in the following minute, and revoked at 12:07
A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
Feb 14th 11:52 -> the certificate was issued
Feb 14th 11:53 -> the misissuance was detected
Feb 14th 12:07 -> the certificate was revoked
Feb 14th 13:28 -> reported the incident to our PKI software manufacturer
Feb 14th 15:24 -> received the answer from the manufacturer. They tell us that there’s a bug in the preventive filter with the OU, and that they have a hotfix to solve it.
Feb 14th 17:21 -> Izenpe reports to mozilla.dev.security.policy list
Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
We’ll do a dual manual check until we have the hotfix correctly applied
A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
There’s just one certificate affected
The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
It was a bug in the filter of the PKI software
List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
We hope to have the product hotfix applied by March 3rd