Asseco Data Systems / Certum: Delayed revocation of SSL.COM cross certificate

This case is a continuation of Bug 1815355 and concerns delayed revocation of an SSL.COM cross certificate. The CA (Certum/Asseco Data Systems) stated that it analyzed the issue and contacted SSL Corporation to confirm its findings. In the incident report, Certum explained that it decided not to revoke the cross certificate because it expires soon in September 2023, and because it considered the risk negligible given the remaining short validity period and the number of end customers that would need to transfer to a new cross certificate. As corrective actions, Certum said it would change the cross-certification contract provision to explicitly state a 7-day revocation requirement for the cross certificate, regardless of the reason for revocation, and require partners to inform end customers that revocation will take 7 days. The CA also stated it would not issue any new cross certificate until the reported problem was resolved. The bug was resolved as FIXED, and Mozilla indicated it intended to close the bug unless there were additional questions or concerns.

1. 2023-02-07 Bug 1815355 was created, initiating the reported issue that this case continues.
2. 2023-02-14 Certum began analyzing the cross-certificate problem and contacted SSL Corporation to confirm findings.
3. 2023-04-04 This continuation bug (1826363) was opened by Asseco Data Systems / Certum.
4. 2023-04-19 Certum provided the incident report describing the decision not to revoke and the corrective contract changes.
5. 2023-06-07 Mozilla planned to close the bug if no further questions or concerns were raised.

1. 2023-04-04 aleksandra.kurosz@assecods.pl — Opened the continuation bug and said they were working on an answer and action plan with SSL.COM, with regular updates to follow.
2. 2023-04-14 ryandickson@google.com — Requested an incident report using the CCADB incident-report format, including root cause analysis and steps to prevent recurrence.
3. 2023-04-17 aleksandra.kurosz@assecods.pl — Said the incident report would be provided no later than April 19, 2023.
4. 2023-04-19 aleksandra.kurosz@assecods.pl — Provided an incident report including a timeline, stated that Certum would not issue new cross certificates until the problem was resolved, explained why it decided not to revoke the cross certificate, and described corrective contract and partner notification actions.
5. 2023-04-26 aleksandra.kurosz@assecods.pl — Asked whether there were any questions and noted there were no further updates.
6. 2023-05-19 aleksandra.kurosz@assecods.pl — Asked if the bug could be closed if there were no questions.
7. 2023-06-01 bwilson@mozilla.com — Indicated intent to close the bug the following Wednesday (7 June 2023) unless there were additional questions or concerns.