← eMudhra Technologies Limited cases
Bugzilla #1916478
Delayed Revocation
eMudhra emSign PKI Services: Delayed Revocation of SSL/TLS Certificates
RESOLVED
FIXED
eMudhra Technologies Limited
AI Summary
On August 31, 2024, eMudhra received a notification regarding a potential compromise of four SSL/TLS certificates. The required revocation was delayed due to the request being misrouted to a general support email instead of the dedicated Certificate Problem Reporting contact. Additionally, the affected customer did not respond promptly, further complicating the situation. The certificates were eventually revoked on September 2, 2024, without any reported misuse during the delay. eMudhra has since implemented corrective actions, including improved email routing and defined escalation processes for non-responsive customers to ensure compliance with TLS Baseline Requirements.
Chronology
- Researcher submitted revocation request via general support email.
- eMudhra became aware of the issue and started internal investigation.
- Customer acknowledged compromise; certificates were revoked.
Participants
Naveen Kumar ML
Chris Clements
Aaron Zandberg
Hanno Böck
Ben Wilson
External References
Similar Local Cases
eMudhra emSign PKI Services : Delayed Revocation of TLS Certificates due to Policy Inconsistency.
NETLOCK: Policy Qualifiers other than id-qt-cps is included in TLS certificates - delayed revocation
Buypass: Delayed revocation of TLS certificates
Telekom Security: Revocation delay for TLS certificates with basicConstraints not marked as critical
SECOM: Delayed Revocation of CA Certificate with OCSP EKU Issue
SECOM: Delayed Revocation of non-technically constrained FUJIFILM Certificates
Camerfirma: Delayed revocations related to Invalid authorityKeyIdentifier - recurrent incident
SwissSign: EV delayed revocation