← Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) cases
Bugzilla #1738183
Certificate Problem Report
GDCA: CRL validity period exceeds allowed value by one second
RESOLVED
INVALID
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA))
AI Summary
Global Digital Cybersecurity Authority Co., Ltd. (formerly GDCA) identified a compliance issue where the validity period of their Certificate Revocation List (CRL) exceeded the allowed duration by one second. This was discovered after noticing similar reports from other CAs. The CRL for their trusted root certificate was issued with a validity period of twelve months plus one second, violating Baseline Requirements. The CA has not halted certificate issuance as the issue does not lead to certificate mis-issuance. They have taken steps to re-issue the CRL with a compliant validity period and revise their Certificate Policy accordingly.
Chronology
- Issued the CRL for the Root certificate
- Noticed CRL issues reported by several CAs on Bugzilla
- Confirmed CRL validity period violations
- Informed WebTrust auditor and decided to re-issue the CRL
Participants
capoc@gdca.com.cn
bwilson@mozilla.com
External References
Similar Local Cases
Apple: Revocation Delay for TLS certificates issued outside the TTL of the CAA record
Telia: Issued three precertificates with non-NIST EC curve
GDCA: Insufficient Serial Number Entropy
SSL.com: Insufficient validation evidence for the localityName attribute of an OV certificate
SSL.com: Issuance of 1 EV TLS certificate using a Registration/Incorporation Agency not included in our approved public list.
Multicert: AIA CA Issuer field pointing to PEM encoded cert
Microsoft PKI Services: Subject Key Identifiers in Some Subscriber Certificates Do Not Comply with RFC 5280
Apple: TLS certificates issued outside the TTL of the CAA record