← Telia Company cases
Bugzilla #1551372
Certificate Misissuance
Telia: "Some-State" in stateOrProvinceName
RESOLVED
FIXED
Telia Company
AI Summary
Telia Company reported a certificate misissuance where a certificate contained the stateOrProvinceName value of "Some-State", which was not properly validated according to the Baseline Requirements. The issue was identified on May 11, 2019, and Telia took corrective actions, including revocation of the certificate and an incident report submission. The company has since ceased using the state attribute in their certificates and implemented new validation processes to prevent similar issues in the future. However, concerns were raised regarding the adequacy of their incident response and validation processes.
Chronology
- Telia received a report about the invalid ST value.
- The problematic certificate was replaced and revoked.
- Concerns about the adequacy of Telia's validation processes were raised.
- Telia identified additional invalid locality values during further review.
- Telia provided updates on their incident response improvements.
Participants
Wayne Thayer
Pekka Lahtiharju
Ryan Sleevi
External References
Similar Local Cases
Telia: Misissued certificate - invalid dnsName
Telia: Failure to disclose Unconstrained Intermediate within 7 Days
Hongkong Post / Certizen: Failure to report misissuance
Microsoft PKI Services: Certificate Mis-Issuance, Locality Missing
DigiCert: "Some-State" in stateOrProvinceName
SwissSign: "Some-State" in stateOrProvinceName
KIR S.A.: Misissuance - missing OCSP AIA, Validity > 825 days
Asseco DS / Certum: Invalid value in SAN dNSName