Incident Report - Entrust Datacard issued certificates with the incorrect Organization Name

144 views
Skip to first unread message

Bruce

unread,
Mar 15, 2019, 4:58:52 PM3/15/19
to mozilla-dev-s...@lists.mozilla.org
On March 7, 2019, Entrust Datacard discovered that SSL certificates with the wrong Organization value were issued to a customer. The investigation was completed 15 March 2019.

Details of the incident report can be found here, https://bugzilla.mozilla.org/show_bug.cgi?id=1535735.

All certificates will be revoked by 20 March 2019.

Thanks, Bruce.

Tim Hollebeek

unread,
Mar 15, 2019, 5:22:16 PM3/15/19
to Bruce, mozilla-dev-s...@lists.mozilla.org
What is the rationale for waiting until March 20th for revocation given that
the issue was noticed on March 7th?

-Tim
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

Ryan Sleevi

unread,
Mar 15, 2019, 5:27:36 PM3/15/19
to Bruce, mozilla-dev-s...@lists.mozilla.org
To echo Tim's remarks, this is really two issues:

1) A failure of controls (the current incident report)
2) A failure to revoke

I'm rather concerned about #2 and the lack of detail presently provided
regarding it, as well as the one week wait to filing the incident report
for #1.
Reply all
Reply to author
Forward
0 new messages