← AC Camerfirma, S.A. cases
Bugzilla #1420871
Certificate Misissuance
Camerfirma: Potential Mis-Issuance based on CAA records
RESOLVED
FIXED
AC Camerfirma, S.A.
AI Summary
The case involves Camerfirma's potential mis-issuance of a certificate due to a failure to check CAA records. It was determined that the issuance bypassed required CAA checks, which led to the certificate being revoked on November 28, 2017. The misunderstanding stemmed from an interpretation of the BR that suggested CAA checking was optional under certain conditions. Following discussions, Camerfirma acknowledged the error and has since activated CAA check controls in all their Registration Authorities.
Chronology
- Bug filed regarding potential mis-issuance.
- Affected certificate revoked.
- Camerfirma acknowledges misunderstanding of CAA requirements.
- Case closed as no further actions are pending.
Participants
Quirin Scheitle
Ramiro Muñoz Muñoz
Gervase Markham
External References
Similar Local Cases
Camerfirma: Certs issued with same issuer and serial number
Asseco DS / Certum: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN
DigiCert: RapidSSL CAA Mis-Issuance: Lookup failure on DNSSEC-signed zone
Globalsign / AlphaSSL: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN
Asseco DS / Certum: CAA Mis-Issuance on CNAME pointing directly to restrictive CAA record
Camerfirma: MULTICERT organizationName Too Long
Camerfirma: Non-BR-Compliant Issuance - Non-printable characters in OU field
Camerfirma: Non-BR-Compliant Issuance - DNSName is empty