CA/Responding To An Incident
< CA
|
THIS PAGE IS A WORKING DRAFT | 
|
| The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly. If you have any questions or ideas, please add them as a new topic on the discussion page. |
- Were you aware of this issue before it was reported
- Scanning your corpus of certs for others with the same issue
- What processes should have prevented this, if any? Why did they fail?
- What steps are you taking to make sure it doesn't happen again?
Take any issuing CA affected offline immediately
Post any updates as new threads, with a comment in the old thread referencing it. (Explain why)
Examples of Good Practice
Let's Encrypt Unicode Normalization Compliance Incident
- Initial Public Problem Report, 2017-08-10 20:23 UTC (apparently LE were made aware of the problem privately earlier that day)
- Initial Public Response from CA, 2017-08-10 21:53 UTC
- Final Report from CA, 2017-08-11 03:00 UTC
In this case, the CA managed to diagnose, remediate and deploy the fix to production within 24 hours.
PKIOverheid Short Serial Number Incident
- Initial Public Problem Report, 2017-07-18 22:26 UTC
- Initial Public Response from CA, 2017-07-25 19:20 UTC
- Final Report from CA, 2017-08-11 14:39 UTC
While the CA could have provided interim updates, and the final report was a little delayed, the contents of it were excellent.