← GlobalSign nv-sa cases
Bugzilla #1591005
Certificate Problem Report
GlobalSign: ICAs in CCADB, without EKU extension are listed in WTCA report but not in WTBR report
RESOLVED
FIXED
GlobalSign nv-sa
AI Summary
GlobalSign identified that 30 Intermediate Certificate Authorities (ICAs) were listed in the WebTrust CA audit report but not in the WebTrust Baseline Requirements (WTBR) report. These ICAs, while technically capable of TLS issuance due to the absence of Extended Key Usage (EKU) extensions, were not intended for such use and had not issued TLS certificates. The oversight was attributed to a misunderstanding of Mozilla's policy regarding the technical capabilities of ICAs. GlobalSign has since taken steps to revoke the affected ICAs and amend the audit reports accordingly.
Chronology
- Discovery of 30 ICA certificates not listed in WTBR report.
- Revocation of three ICAs.
- Revocation of additional ICAs.
- Final key destruction of affected CA.
Participants
Arvid Vermote
Ryan Sleevi
Kathleen Wilson
External References
Similar Local Cases
GlobalSign: Failure to revoke noncompliant ICA within 7 days
GlobalSign: Non-BR-Compliant Certificate Issuance -- RSA key smaller than 2048 bits
GlobalSign: Invalid stateOrProvinceName value
GlobalSign: Non-BR-Compliant Certificate Issuance - metadata-only subject fields
GlobalSign: Invalid stateOrProvinceName and locality pair
GlobalSign: Failure to revoke noncompliant certificates within 5 days
GlobalSign: Failure to revoke noncompliant ICA within 7 days
GlobalSign: Incorrect OCSP Delegated Responder Certificate