← HARICA cases
Bugzilla #1530971
Policy Compliance
HARICA: P-384,ecdsa-with-SHA256 Certificates
RESOLVED
FIXED
HARICA
AI Summary
HARICA identified a compliance issue where it had issued Intermediate CA Certificates using ECDSA P-384 keys with SHA256 hashing, violating Mozilla's Root Store Policy. This was discovered during a policy review on February 25, 2019. Following the identification, HARICA disabled certificate issuance from the affected subCAs and conducted a database scan, revealing one affected end-entity certificate and five intermediate CA certificates. The problematic certificates were planned for revocation by March 8, 2019, and mitigation measures were implemented to prevent recurrence. The issue has since been resolved.
Chronology
- Compliance issue discovered during policy review.
- Planned revocation of affected certificates.
- Feature request created for CA software to prevent similar issues.
- Remediation confirmed complete.
Participants
Dimitris Zacharopoulos
W. Thayer
External References
Similar Local Cases
GoDaddy: inconsistent disclosure of externally-operated intermediate
IdenTrust: Failure to disclose Unconstrained intermediate Within 7 Days
QuoVadis: Recap of BR Compliance in 2018 issuance by external subCAs
Asseco DS / Certum: Use of forbidden subjectPublicKeyInfo algorithm
SwissSign: Non-BR-Compliant Certificate Issuance
Staat der Nederlandend / PKIoverheid: Non-BR-Compliant Certificate Issuance
Verify GlobalSign's continued conformance to EV guidelines
ANF AC: Finding #2 ETSI Audit - Information security policy not updated on the website