← Chunghwa Telecom cases
Bugzilla #1951415
Certificate Problem Report
Chunghwa Telecom: Failure to check restrictive CAA record during Migration
RESOLVED
FIXED
Chunghwa Telecom
AI Summary
Chunghwa Telecom (CHT) faced a significant incident during the migration of TLS certificates from GTLSCA to HiPKI OV TLS CA, where they reused Domain Control Validation (DCV) data without properly checking CAA records. This oversight led to the issuance of 11,860 certificates that were not authorized, as some domains had CAA records that restricted issuance. Upon notification from the Chrome Root Program regarding unusual certificate issuance, CHT promptly initiated a large-scale revocation process, successfully revoking all affected certificates. The incident highlighted procedural weaknesses and the need for improved verification practices.
Chronology
- Non-compliance start date
- Non-compliance identified date
- Non-compliance end date
- Received notification from Chrome Root Program
- Revocation of 11,860 certificates completed
Participants
Tsung-Min Kuo
Tim Callan
Chrome Root Program
External References
Similar Local Cases
Chunghwa Telecom: OV TLS Server certificate issuance by GTLSCA without proper validation
Chunghwa Telecom: Test Website certificate not revoked
Chunghwa Telecom: CA Certificates Published in PEM format
Chunghwa Telecom: Failure to respond to CPR within 24 hours
Chunghwa Telecom: Controversial Values within Extension (2.5.29.9, subjectDirectoryAttributes)
Chunghwa Telecom: Issuance of certificate using keys previously reported as compromised
Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired
Chunghwa Telecom: TLS Certificates Contains two LocalityName Values in SubjectDN by GTLSCA