← Government of Hong Kong (SAR), Hongkong Post, Certizen cases
Bugzilla #1886406
Certificate Problem Report
Hongkong Post: TLS certificates with Certificate Policies extension that does not assert http scheme
RESOLVED
FIXED
Government of Hong Kong (SAR), Hongkong Post, Certizen
AI Summary
Hongkong Post CA identified a compliance issue with the policyQualifiers attribute in the Certificate Policies extension of TLS certificates, which did not align with the updated Baseline Requirements effective from September 15, 2023. The CA has committed to removing the non-compliant attribute and has already revoked 1,090 affected certificates, covering a significant portion of government services in Hong Kong. The CA is working closely with customers to facilitate the replacement of these certificates and has implemented new pre-issuance checks to prevent future occurrences.
Chronology
- BR for TLS 2.0.0 became effective.
- Incident report submitted and 6 mis-issued certificates revoked.
- All affected certificates revoked.
- All action items finalized; request to close the bug.
Participants
Man Ho
Martijn Katerbarg
Amir Aamidi
B. Wilson
External References
Similar Local Cases
Hongkong Post: TLS certificates with basicConstraints not marked as critical
Hongkong Post: Certificates with invalid embedded SCT signature
Hongkong Post: Subject CN converted to Unicode representation incident
Hongkong Post e-Cert CA 1 - 10 issuing certificates without subject alternative name extension
Hongkong Post: Delayed response to CPR
Sectigo: Late receipt and disclosure to CCADB of ETSI audit letters
KIR: Intermediate CA - SZAFIR Trusted CA3 - Certificate Policies extension - non-compliance
Disig: TLS certificate with basicConstraints not marked as critical