← Sectigo cases
Bugzilla #1782356
Certificate Misissuance
Sectigo: Misspelled city name in localityName field
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo identified a misissued certificate containing a misspelled localityName, 'Las Angeles', instead of 'Los Angeles'. The error was discovered during an internal audit on July 14, 2022, leading to the revocation of the affected certificate on July 19, 2022. Sectigo is in the process of phasing out the localityName field in public certificates to prevent similar errors in the future. They have already reduced the use of this field by over 95% and are implementing changes to ensure such mistakes do not recur.
Chronology
- Internal audit reveals a certificate with misspelled localityName.
- Affected certificate is revoked.
- Changes to remove localityName field are deployed.
Participants
Tim Callan
Martijn Katerbarg
Ben Wilson
External References
Similar Local Cases
Sectigo: Incorrect JOI for federal credit unions
Sectigo: Failure to revoke within 5 days
Sectigo: Invalid stateOrProvinceName
Sectigo: Incorrect inclusion of DBA name
Sectigo: SMIME issuance with insufficient validation of mailbox authorization or control
Sectigo: State name in localityName
Sectigo: Missing data in cabfOrganizationIdentifier
Sectigo: Subject field with unvalidated information included in certificates