Changes

It was initially discovered that Entrust had issued 395 OV SSL certificates to a large international organization with “NA” for the state/province information. Entrust worked on a drop-down list to prevent the error. Certificate revocation would not occur within established timeframes, so [https://bugzilla.mozilla.org/show_bug.cgi?id=1658794 Bug #1658794] for delayed revocation was opened.

=== 2. Late Revocation for Invalid State/Province Issue - ===

Entrust mis-issued 322 EV certificates with the wrong state and locality jurisdiction fields due to complex data entry processes. Entrust implemented a different automated dropdown system for jurisdiction selection. Certificate revocation would not occur within established timeframes, so [https://bugzilla.mozilla.org/show_bug.cgi?id=1804753 Bug #1804753] for delayed revocation was opened.

=== 4. Delayed Revocation for EV TLS Certificate incorrect jurisdiction - ===

Two EV TLS Certificates were mis-issued due to human error in the Jurisdiction Locality field. (The incident revealed 340 additional accounts needing similar updates.) Entrust said it would enhance its linting processes to include possibly using an external service to validate locality data against verified country data.

=== 6. SHA-256 hash algorithm used with ECC P-384 key - ===

Entrust committed to rigorous review of certificate profiles, browser policy revisions, and industry developments. As a final comment, Ryan said, “My big concern is, going forward, we see incident reports from Entrust take a more systemic, holistic response, like Comment #16, to try and cover the scenarios, and to provide sufficient detail about the situation and its failures to understand how those relate. The goal isn't to make CAs wear proverbial sackcloth, it's to try and make sure we're understanding how things go wrong, so that we can effectively collaborate on identifying solutions to avoid that going forward.”

=== 7. Late Revocation due to SHA-256 hash algorithm - ===