Below is the full text of Revocation Delay Report, according to the Mozilla Policy[1]. ____________________________________________________________________________ Revocation Delay Report Process - Informed of the problematic certificate During the CP/CPS review period, Wayne informed SHECA about the problematic certificates.
-Informing subscriber SHECA checked out the subscriber, informed them immediately. These two certificates belong to a same financial service institution, which has very strict risk control requirement. These two certificates are used in their website of main business. -Communication Subscriber agree to replace these two certificate, but strongly urge the revocation can only be done during the system update window in holiday. Since revocation and replacement of these two certificates cause affect to their service operation. We understand their concern and try our best to minimize the effect to subscriber. So we start to evaluate the risk and forming a delay revocation plan. -Evaluation SHECA performed a research of the reason, and conducted an incident report. The issue of these two certificates is IP Addresses encoded as DNS Name type in the SAN, this is a manual mi-soperation. The risk is much lower than risk of weak key, private key compromise etc. But this issue still not compliant with requirement of CABF and may cause risk to the security level of the certificate. We informed subscriber of the Risk Evaluation result, but subscriber insist the priority level is not high enough, and won’t stop the system operation only for revoking the problematic certificates. -Plan SHECA should notify subscriber of the risk repeatedly every week and ask for agree of revocation. Concerning the risk of relying parties and operation risk of SHECA, SHECA plan to send final notification in early September and revoke in one week after sending the notification. _________________________________________________________________________ SHECA performed all these process since informed of the issue, we try very hard to convince the subscriber to co-operate without effect their business. We sent the final notification today and received reply this afternoon. The subscriber finally agree to revoke the certificate this week, we will update the status once it’s revoked. [1] https://wiki.mozilla.org/CA/Responding_To_An_Incident _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy