Closed Bug 1646866 Opened 4 years ago Closed 4 years ago

DigiCert: Failure to revoke invalid serialNumber EV certificates within 5 days

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: fozzie, Assigned: brenda.bernal)

Details

(Whiteboard: [ca-compliance])

DigiCert has failed to revoke two invalid leaf certificates within the mandated 5 days of section 4.9.1.1.

Timeline of events:

13th June 19:03 UTC: I sent an email to revoke@digicert.com stating there was an issue with two certificates (https://misissued.com/batch/110/). These certificates' serialNumbers are incorrect as there is no organisation linked to "BG".
13th June 22:29 UTC: I received a response from the DigiCert team stating that they will start the investigation.
14th June 16:30 UTC: I received a response from the DigiCert team stating that they had received regulatory information relating to "BG" and that they will contact them again on the 15th of June to look into this discrepancy.
17th June 22:07 UTC: DigiCert stated that these certificates have not been misissued and they will not be revoked.
17th June 22:17 UTC: I responded and asked for clarification that "BG" was a valid company registration for "Coast Capital Savings Federal Credit Union".
18th June 19:24 UTC: I received a response from the DigiCert team stating that these certificates will now be revoked:

The revocation will happen 5 days after we received the new registration number from the Registering Authority which is June 21, 2020 10h27 MDT.

This surpasses the 5 day mandated revocation timeline in section 4.9.1.1 of the baseline requirements.

Assignee: bwilson → brenda.bernal
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

We aren't planning on revoking these certificates (hence there isn't a five day revocation window). The certs were properly issued and contain the correct serial number. The agent who replied to you saying that we received a new incorperation number was incorrect - the number was still "BG" (the one found in the original cert). The response from the incorperating agency was that you can include either the registration number "BG" or the Date of Incorporation "Nov 1, 2018" as the incorperation identifier.

There are a number of certificates issued with "FI 146" which does seem to be Coast Capital Savings' credit union registration number:
https://crt.sh/?id=1624470007
https://crt.sh/?id=1006508050
https://crt.sh/?id=1467512799
https://crt.sh/?id=1285770998

I'm still not sure "BG" actually refers to? Can you clarify what documents you have which link "BG" to this company?

BG was assigned as the registration nnumber by the Office of the Superintendent of Financial Institutions.

Thank you for the clarification Jeremy, this seems to be resolved.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Resolution: FIXED → INVALID
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.