← HARICA cases
Bugzilla #1530971
Policy Compliance
HARICA: P-384,ecdsa-with-SHA256 Certificates
RESOLVED
FIXED
HARICA
AI Summary
HARICA identified a compliance issue where it had issued Intermediate CA Certificates using ECDSA P-384 keys with SHA256 hashing, violating Mozilla's Root Store Policy. This was discovered during a policy review on February 25, 2019. Following the identification, HARICA disabled certificate issuance from the affected subCAs and conducted a database scan, revealing one affected end-entity certificate and five intermediate CA certificates. The problematic certificates were planned for revocation by March 8, 2019, and mitigation measures were implemented to prevent recurrence. The issue has since been resolved.
Chronology
- Compliance issue discovered during policy review.
- Planned revocation of affected certificates.
- Feature request created for CA software to prevent similar issues.
- Remediation confirmed complete.
Participants
Dimitris Zacharopoulos
W. Thayer
External References
Similar Local Cases
GoDaddy: inconsistent disclosure of externally-operated intermediate
IdenTrust: basicConstraints not flagged "Critical" Per Certification Practices Statement
Lawtrust: The S/MIME CA’s policy identifiers did not align with the CA/Browser Forum Requirements.
IdenTrust: Failure to disclose Unconstrained intermediate Within 7 Days
Asseco DS / Certum: Failure to Update Policy Documents within 365 Days
Microsoft PKI Services: Firewall log data retention
QuoVadis: Recap of BR Compliance in 2018 issuance by external subCAs
Asseco DS / Certum: Use of forbidden subjectPublicKeyInfo algorithm