← Sectigo cases
Bugzilla #1625715
Policy Compliance
Sectigo: Failure to revoke certificate with previously-compromised key within 24 hours
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo faced a compliance issue regarding the timely revocation of a certificate that utilized a previously compromised key. The incident was reported on March 20, 2020, when a notification was sent to Sectigo about the compromised key. Although the certificate was revoked on the same day, a new certificate was issued shortly after using the same compromised key, which raised concerns about adherence to Mozilla's policies. Sectigo acknowledged the oversight and has since implemented measures to ensure that certificates using compromised keys are revoked within 24 hours.
Chronology
- Certificate using compromised key was reported and subsequently revoked.
- New certificate issued using the same compromised key.
- Sectigo provided an incident report detailing the timeline and actions taken.
Participants
Wayne Thayer
Robin Alden
Matt Palmer
External References
Similar Local Cases
Sectigo: Missing Changelog in CPS
Sectigo / SSL.com: Late disclosure of updated SSL.com CP/CPS to CCADB
Camerfirma: Decision not to revoke certificates with authorityKeyIdentifier that violates Mozilla Policy
SwissSign: BRs require full annual audits
CFCA: Missed annual CPS update publication on website in 2018
Sectigo: Incomplete Subscriber Agreement provisions
DigiCert: Inconsistent EV audits
Camerfirma: Govern d'Andorra audits