← Chunghwa Telecom cases
Bugzilla #1892419
Delayed Revocation
Chunghwa Telecom: Delayed Revocation Due to GTLSCA EKU Misissuance
RESOLVED
FIXED
Chunghwa Telecom
AI Summary
On March 19, 2024, Chunghwa Telecom was notified of a misissuance involving incorrect Extended Key Usage (EKU) fields in 6,450 certificates issued by GTLSCA. Although the affected certificates were revoked, the revocation process was delayed due to the need for subscribers, primarily government agencies, to replace their certificates without compromising service availability. The CA has since committed to adhering strictly to Baseline Requirements (BR) for future incidents, ensuring timely revocation without grace periods. The incident was resolved with all affected certificates revoked by May 13, 2024.
Chronology
- Notification received regarding EKU misissuance.
- First batch of certificate revocations commenced.
- All affected certificates successfully revoked.
Participants
leox@cht.com.tw
amir@aaomidi.com
ryandickson@google.com
bwilson@mozilla.com
tim.callan@sectigo.com
External References
Similar Local Cases
Chunghwa Telecom: Delayed Revocation with Controversial Extension (2.5.29.9, SubjectDirectoryAttributes)
Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificates
Entrust: Delayed revocation of EV TLS certificates with missing cPSuri
Chunghwa Telecom: Delayed revocation for bug 1951415
GDCA: Delayed revocation of SSL/TLS certificates with Non-critical Basic Constraints
Chunghwa Telecom: Delayed disclosure to Bug 2008788 GTLSCA Audit Incident Report #2 - Domain validation records without the TLS BR version
NETLOCK: Bug 1891331 replacement - delayed revocation -
Chunghwa Telecom: Delayed disclosure to Bug 2008803 GTLSCA Audit Incident Report #4 - Missing evaluation for third parties