← Google Trust Services LLC cases
Bugzilla #1612389
Policy Compliance
Google Trust Services: invalid curve-hash combination
RESOLVED
FIXED
Google Trust Services LLC
AI Summary
Google Trust Services LLC identified a compliance issue regarding the use of an invalid curve-hash combination in two subordinate CAs (GTSY3 and GTSY4) created under Mozilla Policy 2.6.1. The issue arose from a misunderstanding of the policy requirements, which were clarified in the subsequent Mozilla Policy 2.7. Following the discovery, GTS ceased issuance of certificates with the problematic combination and successfully revoked and replaced the affected CAs. The organization has since implemented procedural improvements and automated compliance checks to prevent similar issues in the future.
Chronology
- GTSY3 and GTSY4 Subordinate CAs issued under Mozilla Root Store Policy 2.6.1.
- Mozilla Root Store Policy 2.7 enters into effect.
- Decision made to revoke and replace both GTSY3 and GTSY4.
- Bug reported regarding the issue.
Participants
Andy Warner
Ryan Sleevi
Wayne Thayer
External References
Similar Local Cases
GoDaddy: Non-BR-Compliant Certificate Issuance
Camerfirma: Govern d'Andorra audits
Google Trust Services: Out-of-date CPS disclosure
QuoVadis: Recap of BR Compliance in 2018 issuance by external subCAs
NetLock: Issuance of intermediates after 2019-01-01 that do not comply with Mozilla Policy
PKIoverheid: KPN CPS lacks CPR problem reporting instructions
PKIoverheid: Compliance issues CIBG TLS certificates
PKIoverheid: No BR Audit for Intermediate CAs technically capable of issuing TLS certs