← SSL.com cases
Bugzilla #1722089
Certificate Problem Report
SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information
RESOLVED
FIXED
SSL.com
AI Summary
SSL.com issued three Extended Validation (EV) TLS certificates without the required two-person validation process. The issue was identified during a routine check by their validation team, leading to an internal investigation. A bug in their API was discovered, which allowed certificates to be issued without proper validation evidence. All three affected certificates were revoked promptly after the issue was confirmed. SSL.com has since implemented a hotfix and is reviewing their processes to prevent future occurrences.
Chronology
- EV TLS order reviewed and approved by a Validation Specialist.
- Customer care requests an update on the order.
- Issue reported after discovering lack of 2p approval evidence.
- All three affected certificates revoked.
- Final Bugzilla report filed.
Participants
secauditor@ssl.com
ryan.sleevi@gmail.com
bwilson@mozilla.com
mathew.hodson@gmail.com
External References
Similar Local Cases
SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value
SSL.com: Issuance of 1 EV TLS certificate using a Registration/Incorporation Agency not included in our approved public list.
SSL.com: Failure to process CAA records from one SubCA
SSL.com: Insufficient validation evidence for the localityName attribute of an OV certificate
SSL.com: Precertificates without corresponding certificates return OCSP value of "Unknown"
SSL.com: CAA Empty set handling results in Wildcard issuance
SSL.com: Delayed revocation of certificate with weak key
SSL.com: DCV bypass and issue fake certificates for any MX hostname