← Internet Security Research Group cases
Bugzilla #1398427
Certificate Misissuance
Let's Encrypt: CAA Misissuances
RESOLVED
Internet Security Research Group
AI Summary
This case addresses misissuances by Let's Encrypt related to CAA checking requirements. Two certificates were issued in violation of the Baseline Requirements, prompting an investigation and subsequent revocation of the certificates. Let's Encrypt acknowledged the compliance issues and implemented changes to their CAA checking algorithm to align with the requirements. The matter was resolved with a commitment to ongoing compliance.
Chronology
- Initial report of CAA misissuances
- Certificates revoked and fixes deployed
- CAA checking algorithm updated for compliance
- Mozilla confirmed no misissuance for cert #1
Participants
Josh Aas
Andrew Ayer
Kathleen Wilson
Gervase Markham
External References
Similar Local Cases
Let's Encrypt: certs issued contrary to CPS due to incomplete blocklist
Amazon Trust Services: CAA Misissuances
Let's Encrypt: Attacker-controlled google.tg certificate being used in the wild.
SHA-1 issuance by Visa root
Camerfirma: Certs issued with same issuer and serial number
Certinomis: Cross-signing of StartCom intermediate certs, and delay in reporting it in CCADB
SHA-1 issuance by DocuSign root
SHA-1 issuance by DigiCert roots