← Chunghwa Telecom cases
Bugzilla #1956910
Certificate Problem Report
Chunghwa Telecom: OV TLS Server certificate issuance by GTLSCA without proper validation
RESOLVED
FIXED
Chunghwa Telecom
AI Summary
Chunghwa Telecom reported an incident involving the issuance of 22 OV TLS certificates by GTLSCA that did not comply with CAA record checks as mandated by TLS BR. The issue was identified during an investigation triggered by a report from the Chrome Root Program. Upon review, it was found that the certificates were issued despite non-compliance with the required CAA checks, leading to their revocation on March 27, 2025. The incident highlighted deficiencies in GTLSCA's understanding of CAA records and the lack of automated checks, prompting immediate corrective actions and retraining of personnel.
Chronology
- First non-compliant certificate issued
- Non-compliance identified
- All affected certificates revoked
- Full incident report created
- Final call for comments on incident report
Participants
Tsung-Min Kuo
leox@cht.com.tw
tjtncks@gmail.com
incident-reporting@ccadb.org
External References
Similar Local Cases
Chunghwa Telecom: Test Website certificate not revoked
Chunghwa Telecom: Failure to check restrictive CAA record during Migration
Chunghwa Telecom: Issuance of certificate using keys previously reported as compromised
Chunghwa Telecom: CA Certificates Published in PEM format
Chunghwa Telecom: Failure to respond to CPR within 24 hours
Chunghwa Telecom: “Test Website - Valid" URL disclosed to CCADB is expired
Chunghwa Telecom: TLS Certificates Contains two LocalityName Values in SubjectDN by GTLSCA
Chunghwa Telecom: Controversial Values within Extension (2.5.29.9, subjectDirectoryAttributes)