← Deutsche Telekom Security GmbH cases
Bugzilla #1957962
Certificate Misissuance
Telekom Security: QCStatement with http link to PDS
RESOLVED
FIXED
Deutsche Telekom Security GmbH
AI Summary
Deutsche Telekom Security GmbH reported a misissuance of two test certificates where the QCStatement extension contained an http link instead of the required https link to the PKI Disclosure Statements (PDS). The certificates were never used in production and were revoked immediately upon discovery. The issue stemmed from insufficient quality assurance during the configuration of a new certificate management platform, which did not have the necessary linting rules to catch this error. Remedial actions include updating testing processes and contributing a pull request to enhance linting tools.
Chronology
- First certificate issued on new platform
- Error discovered and certificates revoked
- Pull request for linting tool submitted
- Incident report closure summary submitted
Participants
Stefan Kirch
Arnold Essing
Adriano Santoni
Dimitris Zacharos
Inigo Barreira
Pedro Fuentes
External References
Similar Local Cases
Telekom Security: Certificate with invalid FQDN
DigiCert: Incorrect case in Business Category
Entrust: Subscriber provides private key with CSR
Actalis: Insufficient serial number entropy
Actalis: Certs issued with same issuer and serial number
Actalis: Issuance of intermediates after 2020-08-20 that do not comply with Mozilla Policy and the Baseline Requirements
GlobalSign Partner: No SAN
Microsoft PKI Services: Certificate Mis-Issuance, Locality Missing