← Sectigo cases
Bugzilla #1718785
Certificate Problem Report
Sectigo: 2020 failure to respond to CPRs discovered
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo identified a failure to respond to one Certificate Problem Report (CPR) during a WebTrust audit, where evidence of timely investigation was not documented. Although the revocation occurred within the required timeframe, the lack of preliminary reporting raised compliance concerns. Automated systems implemented in December 2020 have since addressed this issue, ensuring timely responses to future reports. The case highlights the transition from manual to automated processes to reduce errors in handling CPRs.
Chronology
- Bug 1648717 opened to report errors in responses to inbound problem reports.
- Certificate revoked in response to a phishing campaign.
- Flaw in previous reporting discovered during WebTrust audit.
- Sectigo compliance team begins drafting report on the unreported error.
- Bug scheduled to close.
Participants
Tim Callan
Ben Wilson
External References
Similar Local Cases
Sectigo: Mojibake in certificate Subject fields
Sectigo: ZeroSSL: failure to revoke within 24 hours
Sectigo: Misspellings in stateOrProvince or localityName fields
Sectigo: QWAC certificates issued with incorrect subject:organizationIdentifier attribute value
Sectigo: CPR response issues
Sectigo: "Manual DCV" method used
Sectigo: OCSP responses directly signed using root certificates without KU=digitalSignature
Sectigo: Failure to block disallowed LDH labels in domain names