← Google Trust Services LLC cases
Bugzilla #1731164
Technical Compliance
Google Trust Services: CRL validity period set to expected value plus one second
RESOLVED
FIXED
Google Trust Services LLC
AI Summary
Google Trust Services identified an issue with the validity period of Certificate Revocation Lists (CRLs) in their secondary CA system, which was inadvertently set to 10 days plus one second. This configuration was against the spirit of the Baseline Requirements, although it did not result in any certificate misissuance. A fix was deployed on September 10, 2021, and fully implemented by September 16, 2021. The CA has since monitored the situation and confirmed no further concerns from the community.
Chronology
- Compliance Engineer identifies CRL validity issue.
- Patch rollout initiated.
- Patch fully deployed to all systems.
Participants
Cade Cairns
External References
Similar Local Cases
Google Trust Services: OCSP responses not published in a timely manner
Google Trust Services: digitalSignature KeyUsage not set
Google Trust Services: uses "DNSSec-mostly" and DTPs for DNS resolution
Sectigo: CRL validity beyond CPS allowed value
GDCA: CRL validity period exceeds allowed value by one second
Certainly: Root CRL validity period exceeds maximum by one second
Let's Encrypt: Failure to audit log subscriber certificate OCSP updates
Microsoft PKI Services: 3-Month Access Review Process Failure