← Google Trust Services LLC cases
Bugzilla #1652581
Technical Compliance
Google Trust Services: digitalSignature KeyUsage not set
RESOLVED
FIXED
Google Trust Services LLC
AI Summary
Google Trust Services identified that their root CA certificates did not have the digitalSignature KeyUsage bit set, which is required for signing OCSP responses. The issue was brought to their attention by an external inquiry, prompting a review of their CA profiles. After discussions, they agreed to reissue the affected certificates with the necessary KeyUsage set. The reissuance ceremony was successfully completed on August 13, 2020, and the certificates are now compliant with the relevant requirements.
Chronology
- Discussion on security relevant issues leads to review of CA profiles.
- Notification received about missing digitalSignature bit.
- Reissuance ceremony completed successfully.
Participants
Andy Warner
Ryan Sleevi
Rob Wilson
External References
Similar Local Cases
Google Trust Services: CRL validity period set to expected value plus one second
Google Trust Services: OCSP responses not published in a timely manner
Google Trust Services: uses "DNSSec-mostly" and DTPs for DNS resolution
GoDaddy: DV certificates with organizationalUnit field in subject
Visa: Non-BR-Compliant OCSP Responders
Asseco DS / Certum: Forward dating certificates (notBefore in the future)
FNMT: QC Statement that contains at least one of the ETSI ESI statements
Entrust: Non-BR-Compliant OCSP Responder