← Asseco Data Systems S.A. cases
Bugzilla #1815355
Policy Compliance
Asseco DS / Certum: Cross-Signed non-EV-audited root with an EV-enabled root
RESOLVED
FIXED
Asseco Data Systems S.A.
AI Summary
The case involves Asseco Data Systems S.A. (Certum) issuing cross-signed certificates that enabled EV treatment without the required audits. The issue was raised by Kathleen Wilson, highlighting that the cross-certificates were capable of issuing EV TLS certificates but had not been audited accordingly since their issuance in 2018. Certum acknowledged the oversight and confirmed that they would include the EV audit scope in future audits. The cross-certificates are set to expire in September 2023, and corrective measures have been established to prevent similar issues in the future.
Chronology
- Bug filed regarding cross-signed certificates without EV audits.
- Discussion on corrective actions and audit scope.
- Update on lessons learned and community response preparation.
- Lessons Learned statement posted to MDSP.
- Bug closure planned.
Participants
Kathleen Wilson
Aleksandra Kurosz
Ben Wilson
Thomas Zermeno
External References
Similar Local Cases
Asseco DS / Certum: CPS does not refer to BR domain validation methods
Asseco DS / Certum: Use of forbidden subjectPublicKeyInfo algorithm
NetLock: Issuance of intermediates after 2019-01-01 that do not comply with Mozilla Policy
Microsoft PKI Services: Policy Documentation, Failure to update Subscriber Certificate Max Validity Period
Asseco DS / Certum: Failure to Update Policy Documents within 365 Days
iTrusChina: Failure to Respond to May 2022 Survey
Staat der Nederlandend / PKIoverheid: Non-BR-Compliant Certificate Issuance
GoDaddy: Non-BR-Compliant Certificate Issuance