1) How your CA first became aware of the problem (e.g. via a problem report=
submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev=
..security.policy, a Bugzilla bug, or internal self-audit), and the time and=
We receive a communication via Buzilla from Wayne Thayer (https://bugzilla.=
mozilla.org/show_bug.cgi?id=3D1455147) on 2018-07-30 16:31:25 PDT). Wayne, =
thanks once again.
2) A timeline of the actions your CA took in response. A timeline is a date=
-and-time-stamped sequence of all relevant events. This may include events =
before the incident was reported, such as when a particular requirement bec=
ame applicable, or a document changed, or a bug was introduced, or an audit=
The task about disclose the first CA certificate (https://crt.sh/?sha256=3D=
lladisclosure) was identified and planned prevouisly and it must be done on=
ce the certificate was issued on Jun 29 10:27:17 2018 GMT =20
The second CA certificate (https://crt.sh/?sha256=3D06a57d1cd5879fba2135610=
dd8d725cc268d2a6de8a463d424c4b9da89848696&opt=3Dmozilladisclosure) was issu=
ed on Jul 3 12:01:18 2018 GMT.
We=E2=80=99ve failed to perform the task about disclose the CAs into CCADB.
We've disclosed these certificates on July the 31th.
6) Explanation about how and why the mistakes were made or bugs introduced,=
and how they avoided detection until now.
The procedure established to publish the CAs into CCADB wasn't correct caus=
e it didn=E2=80=99t foresee the contingency of the person in charge of disc=
losing CA=E2=80=99s certificates into CCADB and the person acting as a back=
up weren=E2=80=99t available.
7) List of steps your CA is taking to resolve the situation and ensure such=
issuance will not be repeated in the future, accompanied with a timeline o=
f when your CA expects to accomplish these things.
We're adding a third person as a point of contact into CCADB. We've already=
done the request and the person already has the necessary knowledge to man=
age this task.