← SSL.com cases
Bugzilla #2029230
Certificate Problem Report
SSL.com: Incorrect Open MPIC Lambda implementation by EJBCA ACME Service
RESOLVED
FIXED
SSL.com
AI Summary
SSL.com reported an incident involving an incorrect Open MPIC Lambda implementation by the EJBCA ACME service, which allowed domain control validation (DCV) to be completed based solely on remote Network Perspectives. This was a violation of the Baseline Requirements regarding Multi-Perspective Issuance Corroboration. The issue was identified through a third-party report, leading to the revocation of approximately 1.7 million affected certificates within 24 hours. SSL.com has since implemented a fix and updated its testing procedures to prevent similar issues in the future.
Chronology
- Third-party report received regarding potential compliance issue.
- Mass revocation of affected certificates completed.
- Remediation actions reported as completed.
- Report closure summary submitted.
Participants
secauditor@ssl.com
cainfo@ml.secom-sts.co.jp
antti.backman@teliacompany.com
trusten.sec@gmail.com
incident-reporting@ccadb.org
External References
Similar Local Cases
SSL.com: "unknown" OCSP response for issued certificates
SSL.com: DCV bypass and issue fake certificates for any MX hostname
SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information
SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value
SSL.com: CAA Empty set handling results in Wildcard issuance
SSL.com: Issuance of 1 EV TLS certificate using a Registration/Incorporation Agency not included in our approved public list.
SSL.com: Failure to process CAA records from one SubCA
SSL.com: Insufficient validation evidence for the localityName attribute of an OV certificate