← Taiwan-CA Inc. (TWCA) cases
Bugzilla #1886110
Certificate Problem Report
TWCA: Revocation delay for TLS certificates with non-critical basicConstraints
RESOLVED
FIXED
Taiwan-CA Inc. (TWCA)
AI Summary
TWCA mis-issued 16,481 OV TLS certificates with non-conforming basicConstraints, violating BR Section 7.1.2.7.6. Although all affected certificates were required to be revoked within 5 days, 2,551 certificates were not revoked in time due to various customer-related challenges. The CA has since completed the revocation of all remaining certificates and has committed to stricter policies to prevent future delays in revocation. The incident highlighted the need for better communication with customers regarding the importance of timely revocation and the risks associated with certificate binding.
Chronology
- Preliminary incident report posted.
- All affected certificates have been revoked.
- Report closure summary provided.
Participants
chtsai@twca.com.tw
bwilson@mozilla.com
tim.callan@sectigo.com
rdaurne77@gmail.com
mike.shaver@gmail.com
aaron@letsencrypt.org
clintw@apple.com
dzacharo@harica.gr
ryandickson@google.com
External References
Similar Local Cases
Microsoft PKI Services: Failure to Revoke in 5 Days for 1962829
GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued
SECOM: Difference in upper and lower case between CN field and SAN
TWCA: TLS EV certificates with invalid subject attribute order
TWCA: Revocation delay for EV TLS certificates with invalid subject attribute order
TWCA: CA Certificate not published in DER Encoded Format
Microsoft PKI Services: Failure to Update Full Incident Report within 14 days of discovering new root cause
Entrust: CPR was not responded to in 24 hours