← SSL.com cases
Bugzilla #1800753
Certificate Problem Report
SSL.com: Delayed revocation of certificate with weak key
RESOLVED
WONTFIX
SSL.com
AI Summary
SSL.com faced a compliance issue regarding the delayed revocation of a certificate containing keys vulnerable to Fermat factorization. The certificate was revoked 25 hours and 50 minutes after the CA was made aware of the vulnerability, exceeding the required 24-hour revocation timeline. SSL.com acknowledged the issue and explained their decision-making process, which involved analyzing the vulnerability and determining the appropriate course of action. The case raised discussions about the clarity of the Baseline Requirements regarding weak keys and the need for better guidance for CAs.
Chronology
- Vulnerability information shared on mailing list.
- CA publicly confirmed awareness of the certificate.
- Certificate revoked.
- Case closed.
Participants
Matthias
secauditor@ssl.com
bwilson@mozilla.com
aaron@letsencrypt.org
External References
Similar Local Cases
SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information
SSL.com: Insufficient validation evidence for the localityName attribute of an OV certificate
SSL.com: Issuance of 1 EV TLS certificate using a Registration/Incorporation Agency not included in our approved public list.
SSL.com: Failure to process CAA records from one SubCA
SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value
SSL.com: CAA Empty set handling results in Wildcard issuance
SSL.com: Revocation process requires submission to a form that is unusable
SSL.com: Incorrect Open MPIC Lambda implementation by EJBCA ACME Service