← Sectigo cases
Bugzilla #1800756
Certificate Problem Report
Sectigo: Failure to revoke ECC certificates with non-DER encoded keyUsage within 5 days
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo identified a failure to revoke a significant number of ECC certificates that contained non-DER encoded keyUsage within the mandated 5-day period. After assessing the impact, including potential disruptions to a large number of subscribers and relying parties, Sectigo decided against mass revocation. The affected certificates, totaling 322,161, will naturally expire on November 19, 2023. This decision was based on the belief that the issue did not pose a security risk and had not caused compatibility problems in practice.
Chronology
- Bug 1796803 created, leading to internal discussions.
- Completion of the script identifying affected certificates.
- Discussion during WebPKI Incident Response call about the incident.
- Initial writeup concludes remediation and disclosure.
- Final comments indicate readiness to close the bug.
Participants
Martijn Katerbarg
Rob Stradling
Ben Wilson
External References
Related Bugzilla IDs Mentioned
Similar Local Cases
Sectigo: Issuance of ECC leaf certificates with non-DER encoded keyUsage
Sectigo: HTML encoded characters in subject attribute values
Sectigo: Temporary unavailability for subset of CRLs
Sectigo: OCSP responses directly signed using root certificates without KU=digitalSignature
Sectigo: Non-existent hostname in CDP and AIA URLs
Sectigo: S/MIME certificates with (null) string value in subject attributes
Sectigo: Premature disabling of CRL generation for an inactive CA
Sectigo: QWAC certificates issued with incorrect subject:organizationIdentifier attribute value