← Sectigo cases
Bugzilla #1645686
Certificate Problem Report
Sectigo: Lack of input validation in stateOrProvinceName
RESOLVED
DUPLICATE
Sectigo
AI Summary
This case addresses a significant issue with Sectigo's input validation for the stateOrProvinceName field in their EV certificates. Multiple misissued certificates were identified, including incorrect values such as 'Default Province' and 'null'. The problem was acknowledged by Sectigo, which indicated that the certificates were queued for revocation. The case highlights the challenges in ensuring compliance with validation requirements and the need for improved oversight in certificate issuance processes.
Chronology
- Initial report of misissued certificates due to lack of input validation.
- Sectigo acknowledges the issue and begins investigation.
- Sectigo implements changes to prevent future misissuance.
- All certificates with invalid ST fields were revoked or expired.
Participants
Rich Smith
George [:fozzie]
Ryan Sleevi
Robin Alden
Paul Leo Steinberg
Ben Wilson
Tim Callan
External References
Similar Local Cases
Sectigo: Failure to provide a preliminary report within 24 hours.
Sectigo: EV SSL Certificates with incorrect subject details.
Sectigo: Failure to revoke key-compromised certificates
Sectigo: Misspellings in stateOrProvince or localityName fields
Sectigo: Mojibake in certificate Subject fields
Sectigo: OCSP responses directly signed using root certificates without KU=digitalSignature
Sectigo: Failure to provide timely incident reports
Sectigo: CPR response issues