Formal reply addressing the questionnaire format:
Issue pathLenConstraint with CA:False (IdenTrust)
1. How your CA first became aware of the problems listed below (e.g. via a Problem Report, via the discussion in mozilla.dev.security.policy, or via this Bugzilla Bug), and the date.
IdenTrust: Problem Reported to IdenTrust via the Mozilla Dev Security Policy Forum on August 9, 2017
2. Prompt confirmation that your CA has stopped issuing TLS/SSL certificates with the problems listed below.
IdenTrust: The issue was addressed immediately and a formal reply was supplied on to forum on August 10, 2017
3. Complete list of certificates that your CA finds with each of the listed issues during the remediation process. The recommended way to handle this is to ensure each certificate is logged to CT and then attach a CSV file/spreadsheet of the fingerprints or crt.sh IDs, with one list per distinct problem.
IdenTrust: There were 5 certificates reported with this issue:
4. Summary of the problematic certificates. For each problem listed below:
number of certs, date first and last certs with that problem were issued.
IdenTrust: Those 5 certificates were issued between Jan-16 and Feb 14, 2017.
2 of them were pre-certificates.
5. Explanation about how and why the mistakes were made, and not caught and fixed earlier.
IdenTrust: IdenTrust identified this situation during a routine audit in March of 2017. The certificates (which are all internal to IdenTrust) were reissued and these that were incorrect were intended to be revoked; unfortunately the revocation did not occur.
These certificates were created during the process of building a new product, which has not yet been officially launched and no additional certificates have been issued under this profile. Quarterly audits, comprised of evaluating a sampling of certificates, have been conducted; however, due to the fact that a revocation order had been issued for these certificates and we have no active production certificates for this program, no sampling was warranted.
With respect to lack of follow through on the revocation in March 2017, because these certificates were not production certificates issued to actual subscribers, our standard revocation process for certificates does not appear to have been followed; rather, an informal internal emailed request was initiated and was apparently overlooked. We have addressed this internally and put remediation steps into place that will alleviate this possibility in the future.
6. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
IdenTrust:
1. The 5 certificates were revoked on August 10, 2017
2. Since March 2017 we have corrected the profiles to prevent recurrence of this issue