Changes

ECM became aware that it had created a pre-certificate and corresponding final certificate with different validity periods. It noted the problem , and revoked both the pre-certificate and the final certificate, however ECM selected an incorrect value for the revocationReason CRL extension. More than a month went by without acknowledging the misissuance and attempting to remediate the underlying causes. ECM discovered a bug in their system that caused the mismatched validity periods when the pre-certificate and final certificate are not issued on the same day. ECM’s incident reporting did not disclose a second occurrence related to the issue. ECM was asked several follow-up questions about the incident report. Some questions were not promptly answered because ECM apparently lacks adequate personnel to provide more timely answers. The bug indicates also reveals that ECM also needs better communication, incident reporting and incident management in order to increase transparency and community trust.