1339339 - DigiCert: Non-BR Compliant Certificates - missing CP/CPS OID

Status: RESOLVED FIXED

Description

[Jeremy Rowley]

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

For the purposes of SSL issuance, Microsoft operates a PKI that chains to a DigiCert Root (Baltimore CyberTrust Root), and since 2014, we (Microsoft) have been running a Webtrust-audited SSL hierarchy, which later obtained a Baseline Requirements seal as well. Recently, we introduced a new environment for this service, and during preproduction testing, we found that the certificates issued by the new CAs were missing the CP/CPS OID. While only a handful of impacted certificates were public-facing, and a missing CP/CPS OID doesn’t represent a security issue, we recognize this is not aligned with the standards outlined in Baseline Requirements. Therefore, we quickly located the error causing the mislabeling and corrected it. Other than this, the certificates were issued in accordance with Baseline Requirements, and Microsoft has taken action to prevent this from reoccurring.

Comment 1

[Kathleen Wilson]

Thanks, Jeremy, for creating this bug. Please keep us updated (by adding comments to this bug) about remaining action items, and when this concern has been completely resolved.

Comment 2

[Jeremy Rowley]

80% of the certificates have been revoked. By the next update, 100% of the certs will be revoked.

Comment 3

[Jeremy Rowley]

Update - all of these certs are revoked.

Comment 4

[Jeremy Rowley]

I think this is closed, right? All certs were revoked and the system was patched to ensure a CP OID is included each time.