← Microsoft Corporation cases
Bugzilla #1848280
Technical Compliance
Microsoft PKI Services: 3-Month Access Review Process Failure
RESOLVED
FIXED
Microsoft Corporation
AI Summary
Microsoft PKI Services identified a failure in their 3-Month Access Review Process, which did not detect a user account provisioned for an employee not in a Trusted Role. This oversight was discovered during an internal audit on August 9, 2023, and highlighted a need for improved compliance with security requirements. Although the issue was serious, Microsoft confirmed that certificate issuance continued and that the environment remained secure. Steps have been taken to enhance the review process and automate user verification to prevent future occurrences.
Chronology
- User account created for Non-Trusted Role user
- Random audit discovered Non-Trusted Role user account
- Investigation identified 3-Month Access Review process problem
- Centralized management of Trusted Role group list completed
Participants
u654666@disabled.tld
johnmas@microsoft.com
bwilson@mozilla.com
External References
Similar Local Cases
Microsoft PKI Services: Trusted Role Control Failure
GDCA: CRL validity period exceeds allowed value by one second
Certainly: Root CRL validity period exceeds maximum by one second
Update Microsoft field names and automate filling in the EV checkboxes based on the Microsoft Policy OIDs
Amazon Trust Services: CRL not DER-encoded
Apple: CRL issuance frequency deviates from CPS in some cases
GlobalSign: CRL contains invalid signature algorithm
Let's Encrypt: Failure to audit log subscriber certificate OCSP updates