DigiCert: Failure to revoke invalid serialNumber EV certificates within 5 days
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: fozzie, Assigned: brenda.bernal)
Details
(Whiteboard: [ca-compliance])
DigiCert has failed to revoke two invalid leaf certificates within the mandated 5 days of section 4.9.1.1.
Timeline of events:
13th June 19:03 UTC: I sent an email to revoke@digicert.com stating there was an issue with two certificates (https://misissued.com/batch/110/). These certificates' serialNumbers are incorrect as there is no organisation linked to "BG".
13th June 22:29 UTC: I received a response from the DigiCert team stating that they will start the investigation.
14th June 16:30 UTC: I received a response from the DigiCert team stating that they had received regulatory information relating to "BG" and that they will contact them again on the 15th of June to look into this discrepancy.
17th June 22:07 UTC: DigiCert stated that these certificates have not been misissued and they will not be revoked.
17th June 22:17 UTC: I responded and asked for clarification that "BG" was a valid company registration for "Coast Capital Savings Federal Credit Union".
18th June 19:24 UTC: I received a response from the DigiCert team stating that these certificates will now be revoked:
The revocation will happen 5 days after we received the new registration number from the Registering Authority which is June 21, 2020 10h27 MDT.
This surpasses the 5 day mandated revocation timeline in section 4.9.1.1 of the baseline requirements.
Updated•4 years ago
|
Comment 1•4 years ago
|
||
We aren't planning on revoking these certificates (hence there isn't a five day revocation window). The certs were properly issued and contain the correct serial number. The agent who replied to you saying that we received a new incorperation number was incorrect - the number was still "BG" (the one found in the original cert). The response from the incorperating agency was that you can include either the registration number "BG" or the Date of Incorporation "Nov 1, 2018" as the incorperation identifier.
Reporter | ||
Comment 2•4 years ago
|
||
There are a number of certificates issued with "FI 146" which does seem to be Coast Capital Savings' credit union registration number:
https://crt.sh/?id=1624470007
https://crt.sh/?id=1006508050
https://crt.sh/?id=1467512799
https://crt.sh/?id=1285770998
I'm still not sure "BG" actually refers to? Can you clarify what documents you have which link "BG" to this company?
Comment 3•4 years ago
|
||
BG was assigned as the registration nnumber by the Office of the Superintendent of Financial Institutions.
Reporter | ||
Comment 4•4 years ago
|
||
Thank you for the clarification Jeremy, this seems to be resolved.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•2 years ago
|
Description
•