← Government of Hong Kong (SAR), Hongkong Post, Certizen cases
Bugzilla #1887888
Delayed Revocation
Hongkong Post: Delayed revocation of TLS certificates with basicConstraints not marked as critical
RESOLVED
FIXED
Government of Hong Kong (SAR), Hongkong Post, Certizen
AI Summary
Hongkong Post CA issued 46 TLS certificates that did not have the basicConstraints marked as critical. Due to the manual management of these certificates by subscribers and a delay in a system vendor patch, 45 of these certificates were not revoked within the required 5-day period. This delay posed significant risks to critical e-services provided by government and financial institutions in Hong Kong. Hongkong Post has since committed to improving its processes to ensure timely revocation in the future, including upgrading linting tools and enhancing subscriber education on revocation requirements.
Chronology
- Became aware of the error and began examination.
- Implemented a system patch to reject non-compliant certificate requests.
- Confirmed that all affected certificates were revoked.
- Closure summary provided and incident report completed.
Participants
Man Ho
Ryan Dickson
Mike Shaver
Clint Wilson
Tim Callan
B. Wilson
External References
Similar Local Cases
Hongkong Post: Delayed revocation of TLS certificates with Certificate Policies extension problem
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical
Entrust: Delayed revocation of clientAuth TLS Certificates without serverAuth EKU
Microsec: Delayed revocation of the misissued certificates
Asseco DS / Certum: Delayed revocation of SSL.COM cross certificate
Asseco DS / Certum: Delayed revocation of SSL.COM cross certificate
CFCA: Delayed revocation of TLS certificates(basicConstraints extension not marked as critical)
Buypass: Delayed revocation of TLS certificates