← Sectigo cases
Bugzilla #1639804
Certificate Problem Report
Sectigo: Failure to revoke key-compromised certificate within 24 hours
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo faced a significant issue when it failed to revoke a certificate associated with a compromised key within the mandated 24-hour timeframe. The incident was reported on May 13, 2020, and while the revocation was eventually processed by May 15, it did not meet the expected timeline. The delay was attributed to staffing challenges exacerbated by COVID-19, which affected their ability to manage problem reports efficiently. Following the incident, Sectigo acknowledged the shortcomings in their response process and committed to improving their handling of such reports, including accepting key compromise reports via email once again.
Chronology
- Certificate problem report received regarding compromised key.
- Certificate revoked, but outside the 24-hour requirement.
- Sectigo acknowledged slow response and committed to follow up.
- Sectigo announced they would accept key compromise reports via email again.
Participants
mpalmer@hezmatt.org
Robin.Alden@Sectigo.com
inigo@startcomca.com
ryan.sleevi@gmail.com
bwilson@mozilla.com
rich@sectigo.com
External References
Similar Local Cases
Sectigo: "unauthorized" OCSP responses
Sectigo: Failure to properly respond to a report of subscriber key compromise
GoDaddy: Failure to revoke key-compromised certificates within 24 hours
Let's Encrypt: Failure to revoke key-compromised certificate within 24 hours
SwissSign: failure to provide a preliminary report within 24 hours
Sectigo: potentially invalid organizational validation certificates
Asseco DS / Certum: Incorrect OCSP response encoding
GlobalSign: Failure to revoke key-compromised certificate within 24 hours