← Entrust cases
Bugzilla #1611241
Certificate Problem Report
Entrust: Compromised Private Key was not Revoked in Less than 24 Hours
RESOLVED
FIXED
Entrust
AI Summary
Entrust faced a significant issue when a customer's private key was compromised, leading to a failure to revoke the associated certificate within the mandated 24-hour period. The incident was reported by third parties on January 20, 2020, but due to a miscommunication and procedural error, the revocation occurred nearly nine hours late. Entrust has since implemented measures to improve their incident response, including automated content scanning and better tagging of compliance-related cases to prevent future occurrences.
Chronology
- First notification of compromised key received at 6:39 am UTC.
- Certificate revoked at 3:21 pm UTC, missing the 24-hour deadline.
- Confirmation received that the certificate was revoked.
- Entrust announced implementation of new measures to improve compliance response.
Participants
Dathan Demone
Ryan Sleevi
Filippo Valsorda
External References
Similar Local Cases
Entrust: Invalid localityName
Entrust: Failure to revoke a certificate
Entrust: Failure to provide a preliminary report within 24 hours.
Entrust: Printable String Constraint Failure
Entrust: Invalid data in State/Province Field
Entrust: Certificate issued with '-' in ST field
Entrust: Late revocation of underscore certificate
Entrust: Late Revocation for SSL Certificates issued with Un-verified IP Addresses