← Amazon Trust Services cases
Bugzilla #1743943
Delayed Revocation
Amazon Trust Services: Delayed Revocation of Subordinate CA
RESOLVED
FIXED
Amazon Trust Services
AI Summary
Amazon Trust Services faced challenges in revoking a subordinate CA certificate due to potential negative impacts on over 24 million active certificates. The CA received a report indicating a violation of their Certificate Policy Statement (CPS) and initially planned to revoke the certificate within a week. However, after assessing the situation, they determined that immediate revocation would disrupt services and opted to delay the action while exploring alternative solutions. The CA has committed to transitioning to a new intermediate certificate and has set a timeline for revocation, which was ultimately executed on May 24, 2023.
Chronology
- Amazon Trust Services received a report regarding a potential CPS violation.
- Target date for revocation was set for December 1, 2021.
- Amazon Trust Services provided a timeline for action items related to the incident.
- Amazon Trust Services revoked the subordinate CA certificate.
Participants
Trevoli (Amazon Trust Services)
Ryan Sleevi (Google)
Ryan Dickson (Google Chrome)
External References
Similar Local Cases
PKIoverheid: Failure to revoke within 7 days: OCSP EKU issue
SSL.com: Delayed revocation of 53 certificates affected by bug #1750631
SECOM: Delayed Revocation of CA Certificate with OCSP EKU Issue
Camerfirma: Delayed revocations of certificates issued by old CAs with an RSA modulus size of 2047 bits
D-TRUST: Delayed revocation of EV certificates
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation
SwissSign: Delayed revocation related to Bugzilla 2033000
DigiCert: Delay of revocation for EV audit inconsistency incident