← Government of Hong Kong (SAR), Hongkong Post, Certizen cases
Bugzilla #1886665
Delayed Revocation
Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem
RESOLVED
FIXED
Government of Hong Kong (SAR), Hongkong Post, Certizen
AI Summary
Hongkong Post CA faced a significant incident involving the delayed revocation of 1,176 TLS certificates due to a problem with the Certificate Policies extension. Although the CA aimed to revoke these certificates within 5 days of identifying the issue, 1,170 certificates remained unrevoked in time, raising concerns about the continuity of critical e-services for the government of Hong Kong. The delay was attributed to the manual management of certificates by subscribers and the complexities of coordinating replacements. The CA has since implemented action items to streamline the revocation process and ensure compliance with industry standards.
Chronology
- Original problem report received.
- Revocation deadline extended to ensure completion of certificate replacements.
- Educational materials regarding revocation requirements distributed to all customers.
- Closure summary prepared and incident report finalized.
Participants
Man Ho
Ryan Dickson
Amir Aamidi
Tim Callan
Ben Wilson
External References
Similar Local Cases
Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical
Buypass: Delayed revocation of TLS certificates
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical
Microsec: Delayed revocation of the misissued certificates
Asseco DS / Certum: Delayed revocation of SHECA cross certificate
Digicert: Delayed Revocation for bug 1894560
SECOM: Delayed Revocation of non-technically constrained FUJIFILM Certificates
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation