Firmaprofesional: Chrome Root Program Policy non-compliance for dedicated TLS hierarchy / EKU requirements (preliminary incident report)
Firmaprofesional reported a Chrome Root Program incident regarding its Chrome-included root, `Autoridad de Certificacion Firmaprofesional CIF A62634068`. Chrome notified Firmaprofesional that unexpired and unrevoked subordinate CA certificates capable of validating to that root do not meet the dedicated TLS server authentication hierarchy requirements in the Chrome Root Program Policy. Firmaprofesional’s initial review confirmed seven affected subordinate CA certificates, including cases with missing `extendedKeyUsage` and cases with specific EKUs that do not satisfy the dedicated TLS hierarchy requirements. Firmaprofesional stated that it does not intend to seek continued inclusion of this hierarchy in the Chrome Root Store and plans to proceed with Chrome’s announced phase-out rather than seek an exemption or submit a replacement root. The report notes that the policy non-compliance is not considered contained at the preliminary stage because the affected CA certificates remain unexpired and unrevoked. Firmaprofesional also identified one additional affected certificate (`SIGNE Autoridad de Certificacion - 2020`) during its internal scope review.
- Chrome Root Program notified Firmaprofesional that unexpired, unrevoked subordinate CA certificates validating to its Chrome-included root do not meet dedicated TLS hierarchy/EKU requirements.
- Firmaprofesional submitted a preliminary incident report listing seven affected subordinate CA certificates and stating it will proceed with Chrome’s phase-out.
- Autoridad de Certificacion Firmaprofesional — Filed a preliminary incident report describing Chrome’s notification, listing seven affected subordinate CA certificates (and one additional found internally), and stating Firmaprofesional will not seek continued inclusion or an exemption.