Hello,
1) How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date. We receive a communication via Buzilla from Wayne Thayer (https://bugzilla.mozilla.org/show_bug.cgi?id=1455147) on 2018-07-30 16:31:25 PDT). Wayne, thanks once again. 2) A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done. The task about disclose the first CA certificate (https://crt.sh/?sha256=1defd59846cc2049ba1f1a74d3a8329d1357a2d47c1e1b0c15c27a8c60295455&opt=mozilladisclosure) was identified and planned prevouisly and it must be done once the certificate was issued on Jun 29 10:27:17 2018 GMT The second CA certificate (https://crt.sh/?sha256=06a57d1cd5879fba2135610dd8d725cc268d2a6de8a463d424c4b9da89848696&opt=mozilladisclosure) was issued on Jul 3 12:01:18 2018 GMT. We’ve failed to perform the task about disclose the CAs into CCADB. We've disclosed these certificates on July the 31th. 6) Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. The procedure established to publish the CAs into CCADB wasn't correct cause it didn’t foresee the contingency of the person in charge of disclosing CA’s certificates into CCADB and the person acting as a backup weren’t available. 7) List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. We're adding a third person as a point of contact into CCADB. We've already done the request and the person already has the necessary knowledge to manage this task. Juan Angel _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
