← iTrusChina Co., Ltd. cases
Bugzilla #1712664
Certificate Problem Report
iTrusChina: verification errors for the roots' CRLs(ARL)
RESOLVED
FIXED
iTrusChina Co., Ltd.
AI Summary
iTrusChina identified a design bug in their offline CA's ARL system that caused signature verification failures for their roots' CRLs. The issue was first reported on May 21, 2021, and iTrusChina took immediate action, halting certificate issuance and troubleshooting the problem. They discovered that the ARL information was not correctly assembled before signing, leading to inconsistencies. The bug was fixed, and a new version of the CA system was deployed to ensure proper verification of newly issued ARLs and CRLs. The case has been resolved with the implementation of additional checks to prevent future occurrences.
Chronology
- Issue reported in public discussion.
- iTrusChina began troubleshooting the issue.
- Bug identified and fixed in the CA system.
- Case resolved and bug marked as fixed.
Participants
vTrus_contact@itrus.cn
ryan.sleevi@gmail.com
bwilson@mozilla.com
External References
Similar Local Cases
SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value
SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information
Apple: EV Certificate Approver Authorization
D-TRUST: Issuance of non-conformant SSL certificate
Asseco DS / Certum: Incorrect OCSP response encoding
Apple: OCSP availability 2020-11-12
Multicert: AIA CA Issuer field pointing to PEM encoded cert
SwissSign: failure to provide a preliminary report within 24 hours