← SwissSign AG cases
Bugzilla #1894054
Certificate Misissuance
SwissSign: MPKI step-up process sets wrong JoI Locality
RESOLVED
FIXED
SwissSign AG
AI Summary
SwissSign AG reported a mis-issuance of 18 Extended Validation (EV) certificates due to incorrect jurisdiction of incorporation (JoI) locality fields during a walkthrough of their MPKI step-up process. This issue was identified during an audit review session, and all affected certificates have since been revoked. The mis-issuance was attributed to a failure in the user interface and backend checks that should have prevented the entry of locality information for organizations registered at the state level. SwissSign has implemented corrective actions and enhanced their procedures to prevent similar issues in the future.
Chronology
- Guidelines for the Issuance and Management of Extended Validation Certificates Version 1.8.1 released
- Walkthrough of the MPKI step-up process and issuance of EV certificates
- Discovery of mis-issuance during audit review session
- Reporting of additional mis-issued certificates
- Correction of error in the step-up process completed
Participants
Sandy Balzer
Amir Aamidi
Mathew Hodson
Roman Fischer
B Wilson
External References
Similar Local Cases
SwissSign: S/MIME wrong key Usage
SwissSign: difference in upper and lower case between CN field and SAN
SwissSign: EV JurisdictionStateOrProvinceName - one certificate not selected for revocation
SwissSign: S/MIME LCP not-permitted key usage
SwissSign: S/MIME NCP non ASCII symbols in email and SAN field wrong coding
SwissSign: modified fields were not saved into certificates and resulted in miss-issuance
SwissSign: LDAP URL still in CRL distribution point (CDP)
SwissSign: S/MIME LCP: CN with values other than email address