← Amazon Trust Services cases
Bugzilla #1914893
Technical Compliance
Amazon Trust Services: CRL not DER-encoded
RESOLVED
FIXED
Amazon Trust Services
AI Summary
Amazon Trust Services faced an issue where a Certificate Revocation List (CRL) was served in PEM format instead of the required DER format, violating RFC5280. This was due to a recent change to an automated deployment process that did not include checks for CRL format. The issue was identified during a regular review, and corrective actions were taken to ensure compliance. The CRL was updated to the correct format shortly after the issue was discovered, and Amazon Trust Services has since requested the case be closed as resolved.
Chronology
- Deployed new CRL to the specified URI.
- Regular review of CRLWatch identified a parsing error.
- Incident identified during the next regular review.
- Updated CRL in correct format completed deployment.
- Requested closure of the issue as resolved.
Participants
Andrew Ayer
Trevoli (Amazon Trust Services)
bwilson@mozilla.com
External References
Similar Local Cases
Amazon Trust Services: Missing CAA Check For Test Website Certificates
Amazon Trust Services: Failure to comply with RFC 5280
Apple: CRL issuance frequency deviates from CPS in some cases
Entrust: Non-BR-Compliant OCSP Responder
Firmaprofesional: Non-BR-Compliant OCSP Responders
Amazon Trust Services / DigiCert: 404 error when fetching CRL
DocuSign/Keynectis: Non-Compliant Technically Constrained Intermediates
Visa: Non-BR-Compliant OCSP Responders