← Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) cases
Bugzilla #1738191
Technical Compliance
GDCA: CRL validity period exceeds allowed value by one second
RESOLVED
FIXED
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA))
AI Summary
The Global Digital Cybersecurity Authority (GDCA) identified a compliance issue regarding the validity period of their Certificate Revocation Lists (CRLs). The CRL for their trusted root certificate exceeded the allowed validity period by one second, violating Baseline Requirements. GDCA took immediate action by re-issuing the CRL with a corrected validity period and updating their Certificate Policy/Certificate Practice Statement (CP/CPS) to prevent future occurrences. The issue did not result in certificate mis-issuance, and GDCA has continued certificate issuance throughout the resolution process.
Chronology
- Issued the CRL for the Root certificate
- Noticed CRL issues reported by several CAs on Bugzilla
- Confirmed CRL validity period violations
- Informed WebTrust auditor and decided to re-issue the CRL
- Re-issued and published the root CRL with updated validity period
- Updated CP/CPS regarding CRL issuance frequency
Participants
capoc@gdca.com.cn
bwilson@mozilla.com
External References
Similar Local Cases
Certainly: Root CRL validity period exceeds maximum by one second
Microsoft PKI Services: 3-Month Access Review Process Failure
Apple: CRL issuance frequency deviates from CPS in some cases
Microsoft PKI Services: Trusted Role Control Failure
Amazon Trust Services: CRL not DER-encoded
GlobalSign: CRL contains invalid signature algorithm
Sectigo: CRL validity beyond CPS allowed value
Entrust: CRLs and OCSP responses not issued as specified in the CPS