In Bug 1706967, Comment #4, GTS was informed, and confirmed, on 2021-04-22 that they were using an unauthorized/undisclosed method of domain control validation. In Bug 1706967, Comment #4, GTS acknowledges that they did not complete revocation until 2021-05-01, a total of 9 days to revoke. Although GTS did not make the determination themselves until 2021-04-30, they were unambiguously made aware of the non-compliance on 2021-04-22. With respect to CP/CPS violations, Section 4.9.1.1 of the Baseline Requirements require that a CA MUST revoke within 5 days if: > 7. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement; However, with respect to Domain Control Validation, the CA only has 24 hours to revoke. This is due to the following clause: > 5. The CA obtains evidence that the validation of domain authorization or control for any Fully‐Qualified Domain Name or IP address in the Certificate should not be relied upon. In Bug 1706967, Comment #7, on 2021-05-11, this non-compliance was highlighted to Google Trust Services, but no subsequent issue was filed. This incident report is to track the factors that caused a delay in revocation, and the steps Google Trust Services is taking to prevent such future delays.
Bug 1715421 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
In Bug 1706967, GTS was informed, and confirmed, on 2021-04-22 that they were using an unauthorized/undisclosed method of domain control validation. In Bug 1706967, Comment #4, GTS acknowledges that they did not complete revocation until 2021-05-01, a total of 9 days to revoke. Although GTS did not make the determination themselves until 2021-04-30, they were unambiguously made aware of the non-compliance on 2021-04-22. With respect to CP/CPS violations, Section 4.9.1.1 of the Baseline Requirements require that a CA MUST revoke within 5 days if: > 7. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement; However, with respect to Domain Control Validation, the CA only has 24 hours to revoke. This is due to the following clause: > 5. The CA obtains evidence that the validation of domain authorization or control for any Fully‐Qualified Domain Name or IP address in the Certificate should not be relied upon. In Bug 1706967, Comment #7, on 2021-05-11, this non-compliance was highlighted to Google Trust Services, but no subsequent issue was filed. This incident report is to track the factors that caused a delay in revocation, and the steps Google Trust Services is taking to prevent such future delays.