← DigiCert cases
Bugzilla #1914911 · Certificate Misissuance
DigiCert: Unclear Disclosure of CAA Issuer Domain Names
DigiCert · CLOSED
AI Summary
DigiCert faced an issue regarding unclear language in their Certificate Policy/Certification Practice Statement (CP/CPS) about CAA Issuer Domain Names. An external report highlighted that the CPS suggested the use of domains like 'digicert.XX', which was not implemented in their systems. This led to the discovery that 'symantec.com' was inadvertently removed from the list of approved CAA domains, resulting in the misissuance of 185 certificates. DigiCert has since revoked these certificates and updated their CPS to prevent future occurrences.
Chronology
- Bug reported by external researcher.
- 185 misissued certificates identified and revocation initiated.
- All affected certificates revoked.
- Automated comparison system for CPS and CAA implementation deployed.
- Case closed after completion of all action items.
Participants
Tim Hollebeek
Andrew Ayer
External References
Similar Local Cases
DigiCert: Invalid Characters in S/MIME Subject Fields
DigiCert: DigiCert issued cert with CN too long
DigiCert: in-addr.arpa Misissuance
DigiCert: SHA-1 intermediate issued after 2016-01-01
DigiCert: Internal Domain Name cert mis-issuance
DigiCert: RapidSSL CAA Mis-Issuance: Lookup failure on DNSSEC-signed zone
DigiCert / Telecom Italia: Several Problems
Digicert: Failure to include CPS URI in 1 certificate