← Start Commercial (StartCom) Ltd. cases
Bugzilla #1409859
Certificate Problem Report
Startcom: CAA Mis-Issuance: Lookup failure on DNSSEC-signed zone
RESOLVED
INVALID
Start Commercial (StartCom) Ltd.
AI Summary
A certificate request from StartCom for a DNSSEC-signed domain resulted in a lookup failure due to the server not responding to CAA queries. This timeout led to a misinterpretation of the permission to issue the certificate, which contradicts CAB Ballot 187 guidelines. StartCom acknowledged the issue and indicated that they were working on a fix. Subsequent updates suggested that the problem was resolved with a new EJBCA release. However, StartCom later announced their exit from the CA business.
Chronology
- User reported CAA lookup failure to StartCom.
- StartCom reported that the issue was fixed with a system update.
- StartCom announced exit from the CA business.
Participants
Quirin Scheitle
Iñigo
Gerv
External References
Similar Local Cases
StartCom: duplicate serial numbers
StartCom: public exponent is 1
StartCom: IV without localityName or stateOrProvinceName
StartCom: Non-BR-Compliant Certificate Issuance -- adding Certnomis intermediates to OneCRL
DigiCert / Thawte: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN
StartCom cert not working in Firefox 4 beta
Clarification requested regarding remediation of StartCom certificate issuance vulnerability
Add Certinomis Cross-Signed StartCom certs to OneCRL