- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
We first became aware of the problem by the creation of this bug #1545208 at 2019-04-17 19:08:13 UTC and its assignment to Robin Alden.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
2019-04-17 Wayne created this bug.
2019-04-23 In internal discussion we realized that the compliancy team had missed the introduction of the requirement for a dated changelog entry when Mozilla’s policy version 2.5 was introduced.
2019-04-23 We created CPS v5.1.1 as an internal document, including a changelog reaching back to version 5.0. The Certificate Policy Authority approved this version for publication.
2019-04-24 CPS v5.1.1 was published as the current version in our repository.
2019-05-06 CPS v5.1.2 was approved and published. It updated the changelog.
Our previous CPS documents remain available at https://sectigo.com/certificate-practice-statement-archive
- Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
We issued a new CPS version which incorporated a change-log going back to the last major revision. We now maintain that change-log for each CPS update going forward.
- A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
We should have added a change-log to each CPS issued since Mozilla Policy 2.5 came into effect on 2017-06-23, which means that the following CPS revisions were deficient in this regard:
The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
This omission is dismaying for us, because in https://bugzilla.mozilla.org/show_bug.cgi?id=1518553#c3, on 2019-01-09, we said:
“We previously had an informal process to review Mozilla CA Policy changes.
We have our internal audit team now hooked into monitoring and tracking Mozilla Policy changes.
We are making a new review of our compliance with each item of Mozilla policy, reviewing both current issuance and historic certificate issuance to ensure compliance”
The problem appears to be that we did not then reach back to analyse Mozilla Policy changes that had happened since 2.4.
In https://bugzilla.mozilla.org/show_bug.cgi?id=1518553#c7, on 2019-02-21, we said:
“After a review of our compliance with Mozilla policy we find that although we are substantially in compliance, in addition to the issue identified by the OP where we permitted p521 subscriber keys we have also identified that we had not restricted RSA subscriber keys to have moduli divisible by 8.”
The reviewer of our compliance with Mozilla policy used Mozilla’s own self assessment spreadsheet, which was good, but regrettably the version of the self assessment spreadsheet used was from 2018 and did not include a checklist item concerning the CPS changelog.
We see that the latest version of the self assessment spreadsheet does include this checklist item.
We realize that the responsibility to check our compliance with Mozilla’s policy is ours and that reliance on a possibly outdated self assessment spreadsheet is not a justification for failing to comply with the policy as written.
We have a fresh compliance review in progress.
- List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
We have reviewed the checklist that we use for Mozilla policy compliance review and added additional items and/or comments where needed.
We are repeating our review of compliance with Mozilla policy. We anticipate having the result of that review by 19th July.
We apologize for our delayed response to this bug. We will address that delay in our response to bug 1563579 (Sectigo: Failure to provide timely incident reports)