← Buypass cases
Bugzilla #1632632
Certificate Problem Report
Buypass: Illegal Business Category in a PSD2 QWAC
RESOLVED
FIXED
Buypass
AI Summary
Buypass reported an incident involving a PSD2 Qualified Website Authentication Certificate (QWAC) that was issued with an incorrect Subject Business Category value of 'UN', instead of the required 'Private Organization'. The issue was identified immediately after issuance, leading to the revocation of the certificate and a halt on issuing similar certificates. Buypass has since implemented stricter controls to prevent such misissuance in the future, including a systematic evaluation of their processes and the introduction of new validation checks.
Chronology
- PSD2 QWAC issued and illegal value identified.
- Certificate revoked and replaced.
- Bug fix deployed.
Participants
Mads Henriksveen
Ben Wilson
Ryan Sleevi
External References
Similar Local Cases
Buypass: PSD2 QWAC with RSA modulus not divisible by 8
Buypass: Failure to revoke PSD2 QWACs within mandated 5 days
Buypass: Missing NCA identifier in cabfOrganizationIdentifier in PSD2 QWACs
Buypass: intermediate certificates not revoked within BR time period
Buypass: Intermediate certificates not listed in audit reports
Buypass: Domain validation method using not allowed domain contact
GlobalSign: Certificate issued with RSASSA-PSS public key
Buypass: TLS certificates with incorrect Subject attribute order