← Sectigo cases
Bugzilla #1741777
Certificate Problem Report
Sectigo: OCSP responses directly signed using root certificates without KU=digitalSignature
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo reported an issue regarding the direct signing of OCSP responses using root certificates that lack the digitalSignature Key Usage bit. This practice was deemed non-compliant with the Baseline Requirements (BRs) by major root programs, including Google Chrome. Sectigo acknowledged the need to update their affected root certificates and initiated a plan to replace them with new roots that include the required Key Usage. The resolution involved implementing delegated OCSP responders to ensure compliance and mitigate risks associated with the previous practice. The case was resolved with the deployment of new OCSP infrastructure in August 2022.
Chronology
- Bug 1725039 reported regarding OCSP signing compliance.
- Sectigo acknowledged the issue and began planning for root certificate updates.
- Sectigo announced plans to implement delegated OCSP responders.
- Deployment of new OCSP infrastructure completed.
Participants
Tim Callan
Rob Stradling
Ryan Sleevi
Ben Wilson
External References
Similar Local Cases
Sectigo: Lack of input validation in stateOrProvinceName
Sectigo: Mojibake in certificate Subject fields
Sectigo: ZeroSSL: failure to revoke within 24 hours
Sectigo: CPR response issues
Sectigo: Misspellings in stateOrProvince or localityName fields
Sectigo: DCV Reuse after 825 days
Sectigo: Failure to provide timely incident reports
Network Solutions: 2021 Audit Observation #1