← Sectigo cases
Bugzilla #1945197
Certificate Problem Report
Sectigo: Late receipt and disclosure to CCADB of ETSI audit letters
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo reported a late disclosure of ETSI audit letters for their QWAC Subordinate CAs, which violated Mozilla and Chrome Root Program Policies. The audit period was unexpectedly shortened to less than 365 days without notification, leading to a delay in submission to CCADB. Sectigo has since updated their internal practices to prevent future occurrences, including improved communication with auditors and a more thorough review process for audit letters.
Chronology
- Sectigo discovers shortened audit period while submitting ETSI audit letters.
- Sectigo submits incident report detailing the late disclosure.
- Incident report closure summary provided by Sectigo.
Participants
Martijn Katerbarg
B. Wilson
External References
Similar Local Cases
Sectigo: Package patching gap within Certificate Systems
Sectigo: Temporary failure to publish OCSP responses for newly issued certificates
Sectigo: OCSP, caIssuers, and CRL endpoints unavailable for a single Subordinate CA
Sectigo: Inaccuracy of CCADB-Disclosed URL for eIDAS CP/CPS
Sectigo: QWAC certificates issued with incorrect subject:organizationIdentifier attribute value
Sectigo: Lack of documentation for vulnerability NVD rating adjustment
Sectigo: OV reuse data applied for wrong organization
Sectigo: OCSP and CRL traffic not being proxied for 3 Subordinate CAs