← Actalis cases
Bugzilla #1717357
Certificate Misissuance
Actalis: Issuance of intermediates after 2020-08-20 that do not comply with Mozilla Policy and the Baseline Requirements
RESOLVED
FIXED
Actalis
AI Summary
Actalis issued an intermediate CA certificate that included both `id-kp-serverAuth` and `id-kp-emailProtection`, violating Mozilla's policies and the Baseline Requirements. Following the discovery of this issue, Actalis acknowledged the problem and took steps to revoke the affected certificates. They also revised their internal procedures to prevent future occurrences. The incident raised concerns about potential impacts on S/MIME certificates used by Italian PEC providers, which could lead to invalid signatures on past messages. The case was resolved with the revocation of the problematic certificate.
Chronology
- Bug reported regarding non-compliance with Mozilla Policy.
- Actalis acknowledged receipt of the issue.
- AgID CA1 certificate revoked as planned.
- Bug closed by Mozilla.
Participants
Ryan Sleevi
Adriano Santoni
Kathleen Wilson
External References
Similar Local Cases
Actalis: Certs issued with same issuer and serial number
Actalis: Insufficient serial number entropy
Certinomis: Cross-signing of StartCom intermediate certs, and delay in reporting it in CCADB
NetLock: Non-BR-Compliant Certificate Issuance
Microsec: Non-BR-Compliant Certificate Issuance
Disig: Non-BR-Compliant Certificate Issuance
DigiCert: DigiCert issued cert with CN too long
DigiCert / Siemens: Insufficient Serial Number Entropy