Changes

Entrust issued 1,963 EV TLS certificates September 11-22, 2023, without including an EV TLS CP OID. Root Causes were the misinterpretation of the EV Guidelines and the TLS BRs and a failure to recognize the overriding requirements of the EV Guidelines. (A misinterpretation of standards led to non-compliant certificates, and linting failed to detect the issue.) As remediation, since April 11, 2024, Entrust has used pkilint as a post-issuance linter also failed to detect similar issues. (Mis-issued provide its list of affected certificates are or its incident report by a subset of the certificates disclosed promised date, and being revoked under [https://bugzilla.mozilla.org/show_bug.cgi?id=1883843 bug #1883843]. Status of revocation is listed in [https://bugzilla.mozilla.org/show_bug.cgi?id=1886532 bug #1886532]did not give an explanation for that delay.)

As remediation, since April 11, 2024, Entrust has used pkilint as a post-issuance linter to detect similar issues. (Mis-issued certificates are a subset of the certificates disclosed and being revoked under [https://bugzilla.mozilla.org/show_bug.cgi?id=1883843 bug #1883843]. Status of revocation is listed in [https://bugzilla.mozilla.org/show_bug.cgi?id=1886532 bug #1886532].)  '''Issues:''' Misinterpretation of Requirements; Policy/Procedure Failure; Certificate Mis-issuance; Incident Handling; Incident Response