← Disig, a.s. cases
Bugzilla #1670458
Policy Compliance
Disig: Failure to provide a preliminary report within 24 hours.
RESOLVED
FIXED
Disig, a.s.
AI Summary
Disig, a.s. faced a compliance issue for failing to provide a preliminary report within the required 24-hour timeframe after receiving a problem report regarding misissued certificates. The issue arose when a report was sent on October 10, 2020, but Disig did not respond until October 12, 2020, citing a low security risk and weekend timing as reasons for the delay. The CA has since acknowledged the oversight and has taken steps to improve their incident response processes. They have also committed to revoking the misissued certificates and have updated their certificate issuance profiles to prevent similar issues in the future.
Chronology
- Problem report received by Disig.
- Disig responded to the report, acknowledging the delay.
- Disig issued new certificates without the problematic field.
- All misissued certificates were revoked.
Participants
George [:fozzie]
Peter Miskovic
External References
Similar Local Cases
Disig: CPS does not refer to BR domain validation methods
Microsoft PKI Services: Failure to disclose Unconstrained Intermediate within 7 Days
NETLOCK: did not file a preliminary incident report or respond to a third-party report within the 72-hour timeframe
Sectigo: Failure to revoke certificate with previously-compromised key within 24 hours
Actalis: Non-BR-Compliant Certificate Issuance
NetLock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit
Microsoft PKI Services: Policy Documentation, Failure to update Subscriber Certificate Max Validity Period
Microsoft PKI Services: Failure to modify policy documents within 365 days