← SK ID Solutions AS cases
Bugzilla #1649942
Certificate Problem Report
SK ID Solutions: Incorrect OCSP Delegated Responder Certificate
RESOLVED
FIXED
SK ID Solutions AS
AI Summary
SK ID Solutions AS issued OCSP Delegated Responder certificates without the required 'id-pkix-ocsp-nocheck' response, violating Baseline Requirements. The issue was acknowledged by SK ID Solutions, which initiated an investigation and risk assessment. They decided not to revoke the affected root and intermediate certificates but planned to let the last valid end-entity TLS certificates expire. Mozilla plans to remove the root certificate from its trust store in an upcoming release, addressing the compliance issue.
Chronology
- SK ID Solutions became aware of the problem reported in Bugzilla.
- SK ID Solutions provided an incident report detailing their investigation and action plan.
- Mozilla confirmed the removal of the root certificate and agreed to close the bug.
Participants
Ryan Sleevi
Kathleen Wilson
Mihkel Tammsalu
B Wilson
External References
Similar Local Cases
SECOM: Incorrect OCSP Delegated Responder Certificate
GlobalSign: ICAs in CCADB, without EKU extension are listed in WTCA report but not in WTBR report
HARICA: Incorrect OCSP Delegated Responder Certificate
DigiCert / Microsoft: inconsistent disclosure of externally-operated intermediate
GlobalSign: Non-BR-Compliant Certificate Issuance - metadata-only subject fields
DocuSign/Keynectis: Non-BR-Compliant OCSP Responders
D-TRUST: Non-BR-Compliant Certificate Issuance
Firmaprofesional: Non-audited, non-technically-constrained intermediate certificates