← SECOM Trust Systems CO., LTD. cases
Bugzilla #1897346
Certificate Problem Report
SECOM: Difference in upper and lower case between CN field and SAN
RESOLVED
FIXED
SECOM Trust Systems CO., LTD.
AI Summary
SECOM Trust Systems identified a misissuance involving 24 TLS server-authentication certificates where the Subject's commonName did not match the dNSName byte-for-byte, although they matched case-insensitively. Initially, SECOM believed this did not violate Baseline Requirements until they received clarification from the Chrome Root Program on May 15, 2024, acknowledging it as a misissuance. SECOM revoked 37 affected certificates by May 20, 2024, and has since implemented zlint as a pre-linting tool to prevent future occurrences. They now interpret the Baseline Requirements to require a case-sensitive match between the commonName and dNSName.
Chronology
- Baseline Requirements Ver.1.8.0 became effective.
- SECOM implemented zlint in their system.
- SECOM contacted Chrome Root Program regarding potential misissuance.
- SECOM confirmed misissuance based on Chrome's criteria.
- SECOM completed revocation of 37 certificates.
Participants
SECOM Trust Systems - ONO Fumiaki
clintw@apple.com
amir@aaomidi.com
rdaurne77@gmail.com
mathew.hodson@gmail.com
corey.bonnell@digicert.com
bwilson@mozilla.com
External References
Related Bugzilla IDs Mentioned
Similar Local Cases
SECOM: S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ)
TWCA: Revocation delay for TLS certificates with non-critical basicConstraints
Entrust: Jurisdiction issue in some EV TLS & Code Signing certificates
GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued
Entrust: CPR was not responded to in 24 hours
SECOM: Issuance of TLS server certificates using keys previously compromised
SECOM: No updated CRLs published for Cybertrust Japan SureMail CA G4
SECOM: Invalid stateOrProvinceName