← NAVER Cloud Trust Services cases
Bugzilla #1866448
Certificate Misissuance
NAVER Cloud Trust Services: DV Certificate issued with improperly validated
RESOLVED
FIXED
NAVER Cloud Trust Services
AI Summary
NAVER Cloud Trust Services reported a misissuance of a Domain Validation (DV) certificate due to improper validation during testing of their new certificate issuance service. The certificate was issued on November 24, 2023, after a QA team member inadvertently accessed an approval link in an email during functional testing. Upon realizing the error, the certificate was revoked immediately. The incident was classified as human error, highlighting a lack of technical safeguards. Investigations confirmed no other similar mis-issuances occurred, and corrective measures have been implemented to prevent recurrence.
Chronology
- NCP CM newly released and started issuing DV certificates
- DV certificate issued due to improper validation
- Certificate revoked upon recognition of the error
- No further issues found during investigation
- Action items to prevent recurrence completed
Participants
Han Yong, Park
amir@aaomidi.com
bwilson@mozilla.com
sooyoung.eo@navercorp.com
External References
Similar Local Cases
NAVER Cloud Trust Services: DV certificate issued with no subject alternative name extension
NAVER Cloud Trust Services: OV certificate issued with OU field
NAVER Cloud Trust Services: commonName not in SAN
SSL.com: Issuance of one Sponsored-Validated S/MIME certificate with organization information in givenName and surName of the subjectDN
IdenTrust: unintended creation of a Root CA certificate
CFCA: certificate with an incorrect OrganizationName
NAVER Cloud Trust Services: Certificate issued with incorrect OCSP URI in AIA
SSL.com: Wildcard DV certificate issued with a non-validated domain name