= Examples of Good Practice =
Here are some examples of good practice, where a CA did most or all of the things recommended above.
== Let'''Note s Encrypt: keyCompromise key blocking deviation from CP/CPS ==https://bugzilla.mozilla.org/show_bug.cgi?id=1886876* Clear indication of Preliminary and Full Incident Reports.* Detailed timeline that identifies all policy, process, and software changes that these incident reports conformed contributed to the root cause, and an earlier version indication of when the incident reporting templatebegan and ended.* Detailed Root Cause Analysis that offers background on the various conditions that gave rise to the issue.* Timely updates in response to questions posed, continued analysis, and changes to Action Items.'''
== Let's Encrypt Unicode Normalization Compliance Incident Google Trust Services: Failure to properly validate IP address ==https://bugzilla.mozilla.org/show_bug.cgi?id=1876593* Significant amount of background information that informs the timeline of the incident.* Clear identification of the contributing factors that contributed to the incident that notes how many of them avoided detection in the Root Cause Analysis.* Action Items that prevent, mitigate, and detect what didn’t go well.* Timely and detailed updates conveying Action Item status.
* [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/g6_zGA2exXw Initial Public Problem Report], 2017-08-10 20:23 UTC (apparently LE were made aware of the problem privately earlier that day)* [https://groups.google.com/d/msg/mozilla.dev.security.policy/g6_zGA2exXw/_tXldrbIBwAJ Initial Public Response from CA], 2017-08-10 21:53 UTC* [https://groups.google.com/d/msg/mozilla.dev.security.policy/nMxaxhYb_iY/AmjCI3_ZBwAJY Final Report from CA], 2017-08-11 03:00 UTC In this case, the CA managed to diagnose the problem, remediate it, and deploy the fix to production within 24 hours. == PKIOverheid Short Serial Number Incident == * [httpsHARICA://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ Initial Public Problem Report], 2017-07-18 22:26 UTC* [https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/TzH5eI9dAQAJ Initial Public Response from Anomaly in OCSP services after CA], 2017-07-25 19:20 UTC* [https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/vl5eq0PoJxY/W1D4oZ__BwAJ Final Report from CA], 2017-08-11 14:39 UTC While the CA could have provided interim updates, and the final report was a little delayed, the contents of it were excellent. software upgrade == SecureTrust "Some-State" in stateOrProvinceName == * [https://bugzilla.mozilla.org/show_bug.cgi?id=1551374 Initial Public Problem Report], 2019-05-14 00:49 UTC1878106* [https://bugzilla.mozilla.org/show_bugClear Summary that provides just enough context for new readers to understand the rest of the report.cgi?id=1551374#c1 Initial Public Response from CA], 2017-05-15 19:40 UTC* [https://bugzilla.mozilla.org/show_bug.cgi?id=1551374#c8 Final Report from CA], 2017-06-14 9:43 UTC The level Effective use of detail provided by the CA in both the initial report and follow-up responses “5 Whys” Root Cause Analysis methodology where “why” is comprehensive, asked as is many times as necessary to identify the root cause of the work performed incident.* Action Items that prevent and detect what didn’t go well.* Timely updates in response to identify additional occurrences questions posed and changes to remediate the issueAction Items.
