User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce: For the purposes of SSL issuance, Microsoft operates a PKI that chains to a DigiCert Root (Baltimore CyberTrust Root), and since 2014, we (Microsoft) have been running a Webtrust-audited SSL hierarchy, which later obtained a Baseline Requirements seal as well. Recently, we introduced a new environment for this service, and during preproduction testing, we found that the certificates issued by the new CAs were missing the CP/CPS OID. While only a handful of impacted certificates were public-facing, and a missing CP/CPS OID doesn’t represent a security issue, we recognize this is not aligned with the standards outlined in Baseline Requirements. Therefore, we quickly located the error causing the mislabeling and corrected it. Other than this, the certificates were issued in accordance with Baseline Requirements, and Microsoft has taken action to prevent this from reoccurring.
Thanks, Jeremy, for creating this bug. Please keep us updated (by adding comments to this bug) about remaining action items, and when this concern has been completely resolved.
Assignee: kwilson → jeremy.rowley
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: Non-BR Compliant Certificates → Non-BR Compliant Certificates - missing CP/CPS OID
80% of the certificates have been revoked. By the next update, 100% of the certs will be revoked.
Update - all of these certs are revoked.
Summary: Non-BR Compliant Certificates - missing CP/CPS OID → DigiCert: Non-BR Compliant Certificates - missing CP/CPS OID
Component: CA Certificates → CA Certificate Mis-Issuance
Whiteboard: BR Compliance → [ca-compliance]
I think this is closed, right? All certs were revoked and the system was patched to ensure a CP OID is included each time.
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.