← Internet Security Research Group cases
Bugzilla #1886876 Certificate Problem Report

Let's Encrypt: keyCompromise key blocking deviation from CP/CPS

RESOLVED FIXED Internet Security Research Group
AI Summary

During a quarterly review, Let's Encrypt identified a discrepancy between their documented revocation policy for key compromises and their actual software behavior. The incident revealed that 18,333 revocation requests were processed incorrectly, leading to keys not being blocked as required. Although issuance of certificates was not halted, the team has since updated their CP/CPS to align with their operational practices and has completed necessary remediation actions, including blocking the affected keys and revoking certificates that should have been revoked.

Model: gpt-4o-mini Generated: 2026-06-13 21:18 UTC Confidence: 0.95
Chronology
  1. Discrepancy discovered during CP/CPS review
  2. CP/CPS updated to reflect actual behavior
  3. All affected keys blocked
  4. Automation for CP/CPS review established
Participants
J.C. Jones [:jcj] Aaron Gable Mathew Hodson Chris Wilson
External References
Original Bugzilla Case letsencrypt.org letsencrypt.org
Similar Local Cases
#1753123 RESOLVED Certificate Problem Report Opened 2022-02-01 · Closed 2023-01-04 · 59% similar
Let's Encrypt: Failure to provide OCSP Responses for some certificates
AI Summary CA Owner
#1742704 RESOLVED Certificate Problem Report Opened 2021-11-23 · Closed 2024-05-09 · 58% similar
Let's Encrypt: Potential Denial of Service against websites with broad private key reuse
AI Summary CA Owner
#1838667 RESOLVED Certificate Problem Report Opened 2023-06-15 · Closed 2023-07-05 · 58% similar
Let's Encrypt: Duplicate Serial Numbers
AI Summary CA Owner
#1715672 RESOLVED Certificate Problem Report Opened 2021-06-10 · Closed 2023-02-22 · 57% similar
Let's Encrypt: Failure to revoke for Certificate Lifetime Incident
AI Summary CA Owner
#1793114 RESOLVED Certificate Problem Report Opened 2022-09-30 · Closed 2023-02-22 · 57% similar
Let's Encrypt: Incomplete and Inconsistent CRLs
AI Summary CA Owner
#1799755 RESOLVED Certificate Problem Report Opened 2022-11-08 · Closed 2024-05-09 · 57% similar
Let's Encrypt: End Entity CRLs Not Reissued On Time
AI Summary CA Owner
#1751984 RESOLVED Certificate Problem Report Opened 2022-01-25 · Closed 2023-02-22 · 56% similar
Let's Encrypt: TLS Using ALPN TLS Version and OID
AI Summary CA Owner
#1900129 RESOLVED Certificate Problem Report Opened 2024-05-31 · Closed 2024-06-28 · 55% similar
Certainly: Serving invalid or incomplete CRLs
AI Summary CA Owner

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action