← Internet Security Research Group cases
Bugzilla #1398427 · Certificate Misissuance
Let's Encrypt: CAA Misissuances
Internet Security Research Group · RESOLVED
AI Summary
This case addresses misissuances by Let's Encrypt related to CAA checking requirements. Two certificates were issued in violation of the Baseline Requirements, prompting an investigation and subsequent revocation of the certificates. Let's Encrypt acknowledged the compliance issues and implemented changes to their CAA checking algorithm to align with the requirements. The matter was resolved with a commitment to ongoing compliance.
Chronology
- Initial report of CAA misissuances
- Certificates revoked and fixes deployed
- CAA checking algorithm updated for compliance
- Mozilla confirmed no misissuance for cert #1
Participants
Josh Aas
Andrew Ayer
Kathleen Wilson
Gervase Markham
External References
Similar Local Cases
Let's Encrypt: certs issued contrary to CPS due to incomplete blocklist
Let's Encrypt: Attacker-controlled google.tg certificate being used in the wild.
SHA-1 issuance by Visa root
SHA-1 issuance by DocuSign root
SHA-1 issuance by DigiCert roots
DigiCert / Inteso San Paulo: Double dot characters
WoSign issued SHA-1 SSL certs and backdated the issuance date on SSL certificates
StartCom StartEncrypt vulnerability allowed issuance of fraudulent google.com, dropbox.com, etc certificates