← DocuSign (OpenTrust/Keynectis) cases
Bugzilla #1444455 Technical Compliance

DocuSign/Keynectis: Non-Compliant Technically Constrained Intermediates

RESOLVED FIXED DocuSign (OpenTrust/Keynectis)
AI Summary

The case involves two Keynectis subordinate CAs that were not properly disclosed and contain non-critical name constraints extensions, violating RFC 5280. The issue was raised by Wayne Thayer, who requested an incident report due to the lack of DirectoryName constraints required for technically constrained CAs. The CA owner, DocuSign, acknowledged the problem and proposed actions to disable the serverAuth flag on their root CAs and revoke the existing issuing CA. The case has been resolved with the CA now listed for audit.

Model: gpt-4o-mini Generated: 2026-06-13 17:45 UTC Confidence: 0.90
Chronology
  1. Bug opened regarding non-compliance of Keynectis subordinate CAs.
  2. Incident report provided by DocuSign regarding the non-compliant CAs.
  3. DocuSign confirmed plans for an audit of the CA.
  4. Resolution confirmed as the CA is now listed for audit.
Participants
Wayne Thayer Erwann Abalea
External References
Original Bugzilla Case crt.sh wiki.mozilla.org
Similar Local Cases
#1398246 RESOLVED Technical Compliance Opened 2017-09-08 · Closed 2023-02-22 · 47% similar
Consorci AOC: Non-BR-Compliant OCSP Responders
AI Summary CA Owner
#1428891 RESOLVED Technical Compliance Opened 2018-01-08 · Closed 2023-02-22 · 46% similar
Entrust: Non-BR-Compliant OCSP Responder
AI Summary CA Owner
#1436173 RESOLVED Technical Compliance Opened 2018-02-06 · Closed 2023-02-22 · 45% similar
DigiCert: SCEE / Justica: Non-BR-Compliant Certificate Issuance
AI Summary CA Owner
#1398240 RESOLVED Technical Compliance Opened 2017-09-08 · Closed 2023-02-22 · 39% similar
Firmaprofesional: Non-BR-Compliant OCSP Responders
AI Summary CA Owner
#1398261 RESOLVED Technical Compliance Opened 2017-09-08 · Closed 2023-02-22 · 38% similar
Visa: Non-BR-Compliant OCSP Responders
AI Summary CA Owner
#1015767 RESOLVED Technical Compliance Opened 2014-05-25 · Closed 2022-11-14 · 38% similar
startcom: still issuing < 2048 bit certificates
AI Summary CA Owner
#1914893 RESOLVED Technical Compliance Opened 2024-08-26 · Closed 2024-09-18 · 38% similar
Amazon Trust Services: CRL not DER-encoded
AI Summary CA Owner
#1990272 RESOLVED Technical Compliance Opened 2025-09-23 · Closed 2026-05-04 · 37% similar
SwissSign: recommendation on backup testing
AI Summary CA Owner

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action