← Google Trust Services LLC cases
Bugzilla #1902670 Certificate Problem Report

Google Trust Services: SXG certificates issued without correctly checking CAA restrictions

RESOLVED FIXED Google Trust Services LLC
AI Summary

Google Trust Services identified an issue where SXG certificates were issued without properly verifying CAA record parameters, violating their Certificate Policy. A total of 58 certificates were affected, with 12 being active at the time of discovery. All affected certificates were revoked within 24 hours. The issue arose from a bug in the code that failed to enforce additional CAA checks required for SXG certificates. Google Trust Services has since deployed a fix and is monitoring the situation.

Model: gpt-4o-mini Generated: 2026-06-13 21:36 UTC Confidence: 0.95
Chronology
  1. Issue with SXG certificate issuance discovered.
  2. Incident report published detailing the bug and its impact.
  3. Proposed tests for SXG certificates added to caatestsuite.com.
  4. All action items related to the incident completed.
Participants
gts-external@google.com agwa-bugs@mm.beanwood.com bwilson@mozilla.com
External References
Original Bugzilla Case wicg.github.io pki.goog github.com github.com
Similar Local Cases
#1783272 RESOLVED Certificate Problem Report Opened 2022-08-04 · Closed 2023-02-22 · 59% similar
Google Trust Services: Failure to send preliminary report to subscriber within 24h
AI Summary CA Owner
#1959867 RESOLVED Certificate Problem Report Opened 2025-04-11 · Closed 2025-06-10 · 58% similar
Google Trust Services: Inconsistent MPCAA secondary perspective logging
AI Summary CA Owner
#1736020 RESOLVED Certificate Problem Report Opened 2021-10-15 · Closed 2023-02-22 · 57% similar
Telia: Invalid email contact address was used for few domains
AI Summary CA Owner
#1884461 RESOLVED Certificate Problem Report Opened 2024-03-08 · Closed 2024-05-20 · 57% similar
Microsoft PKI Services: CA Certificates not published in DER Encoded Format
AI Summary CA Owner
#1932973 RESOLVED Certificate Problem Report Opened 2024-11-22 · Closed 2025-04-07 · 55% similar
SSL.com: CAA Empty set handling results in Wildcard issuance
AI Summary CA Owner
#1905419 RESOLVED Certificate Problem Report Opened 2024-06-28 · Closed 2024-10-31 · 54% similar
GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued
AI Summary CA Owner
#1773556 RESOLVED Certificate Problem Report Opened 2022-06-09 · Closed 2023-02-22 · 53% similar
Google Trust Services: Incorrect OCSP responses for certain certificates
AI Summary CA Owner
#1815874 RESOLVED Certificate Problem Report Opened 2023-02-09 · Closed 2023-03-20 · 53% similar
Google Trust Services: incorrect SCT in certificate
AI Summary CA Owner

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action