← Sectigo cases
Bugzilla #1878139
Certificate Problem Report
Sectigo: Failure to invalidate Email DCV Random Values after 30 days
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo identified a failure in their email-based domain control validation (DCV) process, where Random Values were not invalidated after the required 30-day period. This oversight led to the issuance of 2577 certificates based on outdated validation data. A patch was deployed on February 1, 2024, to rectify the issue, and all affected certificates were subsequently revoked on February 7, 2024. The incident was thoroughly investigated, and a complete report was provided, detailing the timeline and root cause of the failure.
Chronology
- Compliance team confirms Random Value needs to be invalidated after 30 days.
- Patch deployed to invalidate Random Values after 30 days.
- All affected certificates revoked.
Participants
Martijn Katerbarg
External References
Similar Local Cases
Sectigo: Incorrectly included registrationStateOrProvince in PSD-based cabfOrganizationIdentifier extension
Sectigo: Failure to block disallowed LDH labels in domain names
Sectigo: OCSP, caIssuers, and CRL endpoints unavailable for a single Subordinate CA
Sectigo: SC45 DCV Reuse Error
Sectigo: Certificate issuance delayed for more than 398 days after DCV was completed
Sectigo: S/MIME certificates with (null) string value in subject attributes
Sectigo: HTML encoded characters in subject attribute values
Sectigo: Failure to reply to Certificate Problem Reports within 24 hours