← Google Trust Services LLC cases
Bugzilla #1532842
Certificate Misissuance
Google Trust Services: 63 bit serial numbers in some certificates
RESOLVED
FIXED
Google Trust Services LLC
AI Summary
Google Trust Services (GTS) identified that some certificates issued utilized EJBCA, resulting in serial numbers with only 63 bits of effective entropy, which is below the required standard. Upon discovering this issue, GTS acknowledged it as a misissuance but stated it did not pose a material security risk. They have since replaced and revoked approximately 95% of the affected certificates, with plans to address the remaining ones before their expiration. The incident was prompted by discussions regarding another CA's serial number generation issues, leading GTS to review their own practices.
Chronology
- Concerns raised about serial entropy in Dark Matter certificates.
- GTS begins reviewing serial number generation behavior.
- GTS decides to replace and revoke all affected certificates.
- Certificate revocation begins.
- All remaining affected certificates were revoked.
Participants
ryan_hurst@hotmail.com
ryan.sleevi@gmail.com
awarner@google.com
External References
Similar Local Cases
Google Trust Services: Mis-issued certificates for citi.com subdomain due to lack of CAA record checking
GlobalSign: AT&T SSL certificates without the AIA extension
Dhimyotis / Certigna: Certificates issued with validity periods greater than 398-days
GlobalSign: 4 Misissued certificates with invalid CN
SSL.com: Incorrect Domain Validation for 1 TLS certificate with FQDN having "www." string within domain labels
Telia: Misissued certificate - Invalid wildcard format
Logius: Staat der Nederlanden CA trust issue (WiV)
Entrust: IP in dnsName