← Sectigo cases
Bugzilla #1717046
Certificate Problem Report
Sectigo: potentially invalid organizational validation certificates
RESOLVED
INVALID
Sectigo
AI Summary
This case involves concerns regarding Sectigo's issuance of multiple organizational validation certificates for Alipay US Inc. The user reported that the domains associated with these certificates do not appear to be under the control of Alipay US Inc., suggesting a failure in the validation process. Sectigo's SSL Abuse and Malware Team stated that the certificates were issued in accordance with their policies. The case was ultimately resolved with a status of 'INVALID' as further investigation did not yield sufficient evidence of a CA incident.
Chronology
- User reports potentially invalid certificates issued by Sectigo.
- Sectigo's SSL Abuse and Malware Team responds, asserting compliance with policies.
- Discussion concludes with a recommendation to mark the case as 'INVALID'.
Participants
nickcao@nichi.co
ryan.sleevi@gmail.com
bwilson@mozilla.com
External References
Similar Local Cases
Sectigo: Failure to revoke key-compromised certificate within 24 hours
Sectigo: Failure to properly respond to a report of subscriber key compromise
SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information
Sectigo: "unauthorized" OCSP responses
GoDaddy: Failure to revoke key-compromised certificates within 24 hours
FNMT: Issuance of QCP-n certificates without verifying identity
SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value
Sectigo: Missing Intermediate CA Certificate in Audit - D-TRUST CA 2-1 2015