← EDICOM cases
Bugzilla #1397830
Policy Compliance
EDICOM: Signing SHA-1 OCSP responses with unconstrained certificate
RESOLVED
FIXED
EDICOM
AI Summary
EDICOM was found to be signing OCSP responses with SHA-1 using an unconstrained certificate, violating Mozilla's Root Store Policy. Despite previous communications stating they would cease this practice, technical challenges prevented them from disabling SHA-1. Consequently, EDICOM decided to stop supporting their old Certification Authority Root and initiated the process to remove it from the trusted PKI Root. The case has been resolved with a plan to remove the old root certificate.
Chronology
- Bug reported regarding SHA-1 OCSP responses.
- EDICOM acknowledged technical issues with disabling SHA-1.
- Request filed to remove the old ACEDICOM root certificate.
- Discussion on removing the Security Issue flag.
Participants
Andrew Ayer
Raúl Santisteban
Kathleen Wilson
Gervase Markham
Ryan Sleevi
External References
Similar Local Cases
SwissSign: Non-BR-Compliant Certificate Issuance
Izenpe: Non-BR-Compliant Certificate Issuance
SwissSign: BRs require full annual audits
KIR S.A.: CP/CPS contains noncompliant DV method, does not specify CAA domains
SECOM: CP/CPS does not clearly specify domain validation methods
FNMT: CP/CPS lack CAA processing details
SECOM: Non-BR-Compliant Certificate Issuance
Amazon Trust Services: CP/CPS does not specify key compromise methods