← Sectigo cases
Bugzilla #1876775
Certificate Misissuance
Sectigo: Wrong usage of LEI records for the issuance of SMIME Certificates
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo identified a misissuance of 4,137 S/MIME certificates due to incorrect validation records based on Legal Entity Identifier (LEI) data. An internal audit revealed that the validation process did not comply with the S/MIME Baseline Requirements, leading to the issuance of certificates for 12 legal entities with invalid records. Following the discovery, Sectigo promptly initiated a revocation process for the affected certificates, which was completed on January 26, 2024. The company has since implemented a new pre-issuance linter to prevent similar issues in the future.
Chronology
- Internal review raises suspicion about LEI records.
- Request for a complete list of approved pre-validation records.
- Verification script discovers invalid pre-validation records.
- Revocation of affected certificates completed.
- New pre-issuance linter deployed.
Participants
Martijn Katerbarg
B. Wilson
External References
Similar Local Cases
Sectigo: Misspelled city name in localityName field
Sectigo: Incorrect JOI Country value
Sectigo: Incorrect JOI
Sectigo: SMIME issuance with insufficient validation of mailbox authorization or control
Sectigo: EV Certificate issuance with incorrect subject:serialNumber attribute value
Sectigo: Incorrect inclusion of DBA name
Sectigo: Missing data in cabfOrganizationIdentifier
Sectigo: S/MIME OV Mis-issuance