NETLOCK: Failure to Respond to a Certificate Problem Report Within 24 Hours
This case reports that Netlock failed to begin investigating and provide a preliminary report for a Certificate Problem Report (CPR) within 24 hours of receipt, as required by CA/Browser Forum TLS Baseline Requirements Section 4.9.5. The CPR was received at Netlock’s CCADB-disclosed problem-reporting address (compliance.info@netlock.hu) on 2026-06-10 at 23:48 UTC and referenced an OCSP error and an affected certificate issuance. The thread states that two mail-handling failures prevented the CPR from reaching Netlock’s dedicated compliance team: messages to compliance.info@netlock.hu were classified as spam and never surfaced to an internal warning list, and messages reaching secondary channels were not recognized as CPRs and were not escalated. As a result, Netlock did not provide an acknowledgment or preliminary report within the required 24 hours, and the first substantive reply reached the reporter 16 days later. The reporter states that the incident’s impact is limited to responsiveness to the CPR and does not involve any misissued or otherwise non-compliant certificate; the referenced certificate is addressed in a separate OCSP Full Incident Report. The report indicates Netlock’s dedicated compliance team became aware of the failure on 2026-06-28 and began reviewing mail-system logs, with systemic remediation scheduled to complete by 2026-08-03.
- Netlock received a CPR at its CCADB-disclosed problem-reporting address.
- Netlock’s dedicated compliance team became aware of the CPR-response failure via the public filing of Bug 2051459 and began reviewing mail-system logs.
- kaluha.roland@netlock.hu — Filed a full incident report stating Netlock failed to respond to the CPR within 24 hours due to mail-handling failures and provided a timeline and remediation schedule.