Thanks. I’m still concerned there’s a fair bit of detail missing that would help understand this incident, as well as understand precisely how it’s being prevented.
Can you share more detail about how the current report is made? Similarly, since you mentioned “via the supported API”, perhaps clarify (with diagrams) the paths of requests that can make it into your system? These are examples that help reveal both the current system and the thought process behind mitigations.
From Bug 1734917, it sounds like your report was simply looking at existing certificates and reminding organizations to provide updated documents. But if that’s the explanation for this issue, then it seriously overlooks that there’s a flaw in the issuance process itself, since one would have expected, at minimum, a human review during the issuance process, to complement the technical control being developed.
The goal here, as I mentioned, is to make sure that there’s enough detail to understand how the mistakes were made: the design flaw of the report, the lack of procedural controls, etc. For example, with more detail, it might suggest that a mistake CAs could make is reporting only on certificates, rather than on underlying validation data from the database. It’s unclear the reasons your report took the design approach it did, which again, is where more detail helps.