← Taiwan-CA Inc. (TWCA) cases
Bugzilla #1738778
Policy Compliance
TWCA: Policy OID not set to indicate the assurance level to the issued certs
RESOLVED
FIXED
Taiwan-CA Inc. (TWCA)
AI Summary
The case involves Taiwan-CA Inc. (TWCA) and the absence of Policy OIDs in the X.509 certificates for certain domains, which is a violation of the Baseline Requirements. TWCA acknowledged that their Certificate Policy/Certificate Practice Statement (CP/CPS) was outdated and did not clearly document compliance with these requirements. They have since updated their procedures to ensure that all certificates issued after September 30, 2020, include the correct OIDs. The issue was resolved with the acknowledgment that the certificates in question were not mis-issued, as they predated the new requirements.
Chronology
- Bug opened by Oscar Koeroo regarding missing Policy OIDs.
- TWCA acknowledged the issue and began investigating.
- TWCA confirmed the violation of Baseline Requirements and updated their CP/CPS.
Participants
Oscar Koeroo
Hao-Chun Li
Ben Wilson
Ryan Sleevi
External References
Similar Local Cases
Microsoft PKI Services: Policy Documentation, Failure to update Subscriber Certificate Max Validity Period
KIR S.A.: CP/CPS contains noncompliant DV method, does not specify CAA domains
Amazon Trust Services: CP/CPS does not specify key compromise methods
GlobalSign: SHA-256 hash algorithm used with ECC P-384 key
NetLock: Replacement of enduser certificates after the EVGL 1.7.4 self-audit
NetLock: Issuance of intermediates after 2019-01-01 that do not comply with Mozilla Policy
Ernst & Young Poland: KIR OCSP "unknown" status for revoked certificate
Firmaprofesional: 2020 Audit Report Finding 2 out of 4