Changes

The certificate transparency (CT) component of ECM’s CA software was misconfigured and lacked internal controls (allowing the creation of a CT pre-certificate containing an SCT), and it was not updated to accommodate URL changes. ECM did not revoke the mis-issued pre-certificate within 5 days. ECM’s incident reporting did not meet expected standards of detail and clarity, e.g. The incident report did not adequately address root causes or clearly explain corrective measures or their effectiveness in preventing future incidents. See [https://bugzilla.mozilla.org/show_bug.cgi?id=1815534#c30 Comment #30]. There was significant delay (nearly 3 months) in responding to a request for an updated incident report. See [https://bugzilla.mozilla.org/show_bug.cgi?id=1815534#c37 Comment #37].