← DarkMatter LLC cases
Bugzilla #1581597
Policy Compliance
QuoVadis: Unconstrained CAs missing audits
RESOLVED
FIXED
DarkMatter LLC
AI Summary
The case addresses the issue of QuoVadis having unconstrained Certificate Authorities (CAs) that were missing necessary audits. Following a notification from the Chrome Root Authority program, QuoVadis identified 18 Intermediate Certificate Authorities (ICAs) that were not capable of issuing TLS certificates but had not been properly disclosed in their audit reports. The situation led to a series of revocations and updates to their audit processes to ensure compliance with Mozilla's requirements. QuoVadis has since revoked several CAs and updated their audit reports to include the previously omitted ICAs.
Chronology
- Received notification from Chrome Root Authority regarding audit status.
- Met with WebTrust auditors to finalize audit report amendments.
- Updated audit reports were issued for QuoVadis.
- Revoked QuoVadis Swiss Advanced CA G2 and completed key destruction.
Participants
Stephen Davidson
Kathleen Wilson
Ryan Sleevi
External References
Similar Local Cases
QuoVadis: Non-BR-Compliant Certificate Issuance
QuoVadis: Recap of BR Compliance in 2018 issuance by external subCAs
PKIoverheid / QuoVadis: CPS inconsistencies
PKIoverheid: No BR Audit for Intermediate CAs technically capable of issuing TLS certs
Izenpe: Non-BR-Compliant Certificate Issuance
Camerfirma: Govern d'Andorra audits
PKIoverheid / QuoVadis: CPS inconsistencies
SwissSign: BRs require full annual audits