What exactly defines the scope of "affected serials"?
It was for certificates that had only domain names longer than 64 characters such that the common name CN for the certificate was blank by necessity. This thread is for commenting on the issue so thank you for posting here. Details of the incident are here
8 Likes
Pretty close, but a lot more subcommands 
7 Likes
Question: did these certificates violate CA/B rules, or were they just inconsistent with ISRG standards and needed to be revoked because of that?
4 Likes
It was only an issue with our own CP/CPS, which is why we could resume issuance as soon as it was updated.
7 Likes
And thus being in violation of the BR.
Edit: hm, the BR does mention compliance at the list of revocation reasons, but with a few minutes of searching I can't find the part where it actually says you need to revoke the certs? Anyone have better search-fu than I do?
3 Likes
Awesome. Thanks for the clarification. I was pretty sure it was that scenario. I didnāt expect an āinternal complianceā revocation like that would necessitate a full public bugzilla report - which is why I asked above.
4 Likes
The Baseline Requirements, Version 2.0.8, Section 4.9.1.1:
the CA... MUST revoke a Certificate within 5 days... if... [t]he CA is made aware that the Certificate was not issued in accordance with... the CA's Certificate Policy or Certification Practice Statement
8 Likes
Ah, thanks, I searched for the abbreviations and "compliance", which did not result in that part.
7 Likes