QuoVadis: Incorrect OCSP Delegated Responder Certificate
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: ryan.sleevi, Assigned: stephen.davidson)
Details
(Whiteboard: [ca-compliance] [ocsp-failure])
The following was originally reported to m.d.s.p. at https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13493.html
QuoVadis has issued one or more OCSP Delegated Responders, as defined within RFC 6960, Section 2.6 and Section 4.2.2.2, without including the id-pkix-ocsp-nocheck
response, as required by the Baseline Requirements, Version 1, Section 13.2.5 through Version 1.7.0, Section 4.9.9
Example certificate: https://crt.sh/?id=549505562
Please provide an incident report, including the timeline for revocation.
Assignee | ||
Comment 1•4 years ago
|
||
We acknowledge this problem report and are investigating prior to filing a response.
Assignee | ||
Comment 2•4 years ago
|
||
- How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
We were alerted to the issue by the MDSP post entitled “SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert”. We followed the discussion since inception and have been working to get an accurate view of what needs to be done for remediation since the topic was first posted.
- A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
1/2 July 2020 – Awareness of Sleevi’s post on MDSP and this bug, emergency incident calls convened with QV and DigiCert to determine scope and extent of the issue.
2 July 2020 – Tim Hollebeek posts DigiCert + QuoVadis opinion on the issue.
3/4/5 July 2020 – Identification of affected sub CAs, setting of revocation priorities, discussions with DigiCert, PKIoverheid, affected external subCA customers, as well as regulatory supervisory authorities. Planning for replacement CAs. Arranged key ceremonies and starting naming documents to get key ceremonies prepared and executed.
3 July 2020 – Revocation of initial 4 sub CAs: QuoVadis QVRCA1G1 SSL ICA, QuoVadis QVRCA1G3 SSL ICA, QuoVadis QVRCA3G1 SSL ICA, QuoVadis QVRCA3G3 SSL ICA.
6/7/8 July 2020 – Key ceremonies for creation of replacement CAs. Details are provided in subsequent comment 3 and comment 4. Contacted customers explaining the situation.
8 July 2020 -- Revocation of 3 external sub CAs: DarkMatter Assured CA, DarkMatter High Assurance CA, DarkMatter Secure CA.
- Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident. A statement that you have stopped will be considered a pledge to the community; a statement that you have not stopped requires an explanation.
QuoVadis ceased using the id-kp-OCSPSigning EKU in its new ICAs in 2019.
In addition, the CAs listed as “Reissued” no longer have the id-kp-OCSPSigning EKU and will move into production by COB 8 July 2020. See comment 3 and notes. We recognise that we need to destroy the key material of the affected CAs and are working towards that goal.
- In a case involving certificates, a summary of the problematic certificates. For each problem: the number of certificates, and the date the first and last certificates with that problem were issued. In other incidents that do not involve enumerating the affected certificates (e.g. OCSP failures, audit findings, delayed responses, etc.), please provide other similar statistics, aggregates, and a summary for each type of problem identified. This will help us measure the severity of each problem.
For ease of tracking and discussion, QuoVadis split the affected CAs as follows.
- QV-operated CAs see comment 3
- External Sub CAs see comment 4
- QV-operated CAs chained to PKIoverheid hierarchy. These are dealt with separately in the PKIoverheid bug.
The earliest certificate was issued on 13 January 2015 and the latest on 19 May 2019.
We are prioritizing the replacement and destruction of the External Sub CAs as they operate outside our infrastructure. However, we are working towards replacement and destruction of all the affected CAs, including those operated by QuoVadis. The general plan is to:
- Immediately revoke CAs with low customer impact (completed).
- Reissue all QV-operated CAs without the id-kp-OCSPSigning EKU (completed by end 8 July).
- Create new CAs with new keys.
- Revoke and/or destroy keys for the “legacy” affected CAs.
In comment 3 and comment 4 CAs marked “Reissued” use the same key as the previous cert; these will later be decommissioned and destroyed the same as the impacted CAs. CAs marked “Revoked” are revoked but do not yet have keys destroyed.
We don’t necessarily need to distribute the “Reissued” CAs in all cases; they were created where necessary to replace pinned certs or certs on hardware devices that cannot rapidly be replaced with other CAs. A couple issues causing delays are:
- The CAs are non-TLS and involve large numbers of end entity certificates on tokens which require coordination with customers, regulatory agencies, or the EUTL.
- We are using this an opportunity to migrate from the QuoVadis-legacy infrastructure to DigiCert systems, which is anticipated to improve performance in other areas such as approval workflow and validation process. We think this is better than providing a replacement on the legacy infrastructure, and are basing revocation dates on this process.
We believe some CAs may require a period up to six months before key destruction but we are going to be terminating CAs at regular stages throughout the period. We will update this bug regularly to provide accurate dates.
- In a case involving certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem. In other cases not involving a review of affected certificates, please provide other similar, relevant specifics, if any.
- Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
At the time the CAs were built, the QuoVadis understanding was that EKU chaining was required including for id-kp-OCSPSigning. We were not aware at the time of potential issues with the use of the EKU.
QuoVadis recognises the issue and is replacing the certificates. QuoVadis will not create new ICAs with the id-kp-OCSPSigning EKU going forward.
- List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.
We are revoking and replacing all QV CAs that include the id-kp-OCSPSigning EKU and performing key destruction. Details are provided in subsequent comment 3 and comment 4
We will regularly update this bug with details as we progress.
We have opened Bug 1651553 acknowledging that not all affected certificates were revoked within 7 days.
Assignee | ||
Comment 3•4 years ago
|
||
QV-operated CAs
Replacement of the CAs marked “Reissued/Q” will occur after the new Issuing CA is distributed on the relevant country Trusted List (EUTL). The process has already been started.
Note: Our planning is still in flight for the revocation and key destruction of the QV-operated CAs. Our plans at this stage are:
By Aug 31
- QuoVadis Swiss Regulated CA G2 (nonTLS)
- QuoVadis Qualified Web ICA G1 (TLS)
- VR IDENT EV SSL CA 2018 (TLS)
By Sept 30
- QuoVadis Europe SSL CA G1 (TLS)
- QuoVadis EV SSL ICA G1 (TLS)
By Oct 31
- itsme Sign Issuing CA G1 (nonTLS)
- VR IDENT SSL CA 2018 (TLS)
- QuoVadis Swiss Regulated CA G1 (nonTLS)
By Dec 31
- HydrantID EV SSL ICA G1 (TLS)
- QuoVadis Swiss Advanced CA G3 (nonTLS)
- QuoVadis Europe Advanced CA G1 (nonTLS)
- QuoVadis EV SSL ICA G3 (TLS)
Assignee | ||
Comment 4•4 years ago
|
||
External Sub CAs
Notes:
- DarkMatter have engaged KPMG (WebTrust auditors) to witness key destruction by July 31.
- Technically constrained LLB expected to be revoked with key destruction by July 18 (witness subject to lockdown protocols). Rather than reissue, a new CA with a new key was created.
- Siemens:
- Siemens Issuing CA Internet Server 2017 to be revoked with key destruction by October 31
- Remaining Siemens nonTLS CAs have issued large numbers of certificate on tokens to employees and business counterparties. Siemens are investigating timelines for revocation and reissuance of these end entity certificates. These CAs have ceased issuance. We will update by July 15 with a plan for revocation and key destruction.
Assignee | ||
Comment 5•4 years ago
|
||
QuoVadis continues to advance on its plans as described in Comments 3 and 4.
QV-operated CAs
Name | Type | Last Status | Update |
---|---|---|---|
QuoVadis Europe Advanced CA G1 | nonTLS | Reissued | New CA created: QuoVadis Europe Advanced CA G2 |
QuoVadis Europe SSL CA G1 | TLS | Reissued | New CA created: QuoVadis Europe SSL CA G2 |
QuoVadis EV SSL ICA G1 | TLS | Reissued | Transition planning underway, see Comment 3 |
QuoVadis EV SSL ICA G3 | TLS | Reissued | Transition planning underway, see Comment 3 |
QuoVadis Qualified Web ICA G1 | TLS | Reissued/Q | New CA created: QuoVadis Qualified Web CA G2 |
QuoVadis Qualified Web ICA G1 | TLS | Reissued/Q | Revoked |
QuoVadis QVRCA1G1 SSL ICA | TLS | Revoked | NA |
QuoVadis QVRCA1G3 SSL ICA | TLS | Revoked | NA |
QuoVadis QVRCA3G1 SSL ICA | TLS | Revoked | NA |
QuoVadis QVRCA3G3 SSL ICA | TLS | Revoked | NA |
QuoVadis Swiss Advanced CA G3 | nonTLS | Reissued | New CA created: QuoVadis Swiss Advanced CA G4 |
QuoVadis Swiss Regulated CA G1 | nonTLS | Reissued | New CA to be created week of 7/27: QuoVadis Swiss Regulated CA G3 |
QuoVadis Swiss Regulated CA G2 | nonTLS | Reissued | New CA to be created week of 7/27: QuoVadis Swiss Regulated CA G3 |
HydrantID EV SSL ICA G1 | TLS | Reissued | New CA created: HydrantID EV SSL CA G2 |
itsme Sign Issuing CA G1 | nonTLS | Reissued/Q | Transition planning underway, see Comment 3 |
VR IDENT EV SSL CA 2018 | TLS | Reissued | New CA created: VR IDENT EV SSL CA 2020 |
VR IDENT SSL CA 2018 | TLS | Reissued | New CA created: VR IDENT SSL CA 2020 |
External Sub CAs
- DarkMatter CAs, revoked, key destruction planned for completion by Aug 7
- LLB CAs, revoked, key destruction planned for completion by July 29
- Siemens CAs, transition planning underway, will provide update by July 31
Assignee | ||
Comment 6•4 years ago
|
||
For the QuoVadis-operated issuing CAs and Siemens TLS CAs we continue on the schedule outlined in Comment 3. It is targeted that the ~500,000 end entity certificates will be replaced and the 17 issuing CAs revoked/keys destroyed by Dec 31.
For the external issuing CAs, key destruction has occurred for DarkMatter and LLB. The DarkMatter CAs are now "oneCRL" equivalent in Mozilla, Microsoft, and Google. Apple will similarly remove trust from the DarkMatter CAs. An update on final plan is pending for the nonTLS Siemens CAs, which involve ~850,000 end entity certificates, the majority of which are on tokens.
Assignee | ||
Comment 7•4 years ago
|
||
An update now that our plans have solidified and are in action. We have brought on additional resources to track and support the replacement of end entity certificates. Here we provide an update on our status including CA revocation and key destruction dates.
QuoVadis operated CAs
We continue to target that the ~500,000 end entity certificates will be replaced and the 17 issuing CAs revoked/keys destroyed by December 31.
- QuoVadis Europe Advanced CA G1 - December 31
- QuoVadis Europe SSL CA G1 - September 30
- QuoVadis EV SSL ICA G1 - September 30
- QuoVadis EV SSL ICA G3 - December 31
- QuoVadis Qualified Web ICA G1 - moved to October 30. The replacement Qualified CA must be added to the Netherlands EU Trusted List before end entity reissuance can begin. This has required additional audit procedures. We do not yet have a confirmed date for EUTL listing, which is dependent on the Supervisory Authority.
- QuoVadis Qualified Web ICA G1 - earlier version, as above
- QuoVadis QVRCA1G1 SSL ICA - Revoked
- QuoVadis QVRCA1G3 SSL ICA - Revoked
- QuoVadis QVRCA3G1 SSL ICA - Revoked
- QuoVadis QVRCA3G3 SSL ICA - Revoked
- QuoVadis Swiss Advanced CA G3 - December 31
- QuoVadis Swiss Regulated CA G1 - October 30
- QuoVadis Swiss Regulated CA G2 - August 31
- HydrantID EV SSL ICA G1 - December 31
- itsme Sign Issuing CA G1 - October 30. Also a Qualified CA on the Belgium EUTL. At this time, we do not anticipate a delay caused by the replacement CA being added to the EUTL.
- VR IDENT EV SSL CA 2018 - moved to September 30 as the client is implementing improved TLS automation, whose delay is balanced by the achievement of a desired result of better agility for certificate replacement.
- VR IDENT SSL CA 2018 - October 30
We have scheduled key destruction as close as possible to the CA revocation ceremony, and these procedures will be witnessed by our external auditor. However, we are consolidating the reporting on these key destruction procedures into a single external audit report covering all affected CAs at the conclusion of the above schedule.
All the CA Private Keys are stored on HSMs meeting FIPS 140-2 Level-3 and/or CC EAL 4; further information is provided in our CP/CPS. These HSMs are in a high security zone and require authentication for key signing operations, which are controlled. Our key management process is designed to prevent CA Private Keys from being used for unauthorised purposes. Direct access to the HSMs requires multiperson Trusted Role operators. Both HSM and CA logs are tamperproof and preserved for audit purposes. There are mechanisms to detect tampered log files, and logs are periodically reviewed. To address the security risk, for the affected QuoVadis CAs, we have also confirmed the affected CA keys have not been used for OCSP signing.
External CAs
- DarkMatter Assured CA - Revoked and key destruction performed
- DarkMatter High Assurance CA - Revoked and key destruction performed
- DarkMatter Secure CA - Revoked and key destruction performed
- LLB Root CA public v3 - Revoked and key destruction performed
- LLB Root CA public v4 - Revoked and key destruction performed
- Siemens Issuing CA EE Auth 2016 - March 1, 2021
- Siemens Issuing CA EE Auth 2016 - March 1, 2021
- Siemens Issuing CA EE Enc 2016 - March 1, 2021
- Siemens Issuing CA EE Network Smartcard Auth 2016 - March 1, 2021
- Siemens Issuing CA Internet Code Signing 2016 - November 30
- Siemens Issuing CA Internet Server 2017 - October 31
- Siemens Issuing CA Medium Strength Authentication 2016 - March 1, 2021
- Siemens Issuing CA Multi Purpose 2016 - November 30
Note: several of the Siemens CAs involve multiple certificates for more than 400,000 cryptotoken holders located worldwide.
Assignee | ||
Comment 8•4 years ago
|
||
As planned, QuoVadis Swiss Regulated CA G2 has been revoked.
Key destruction has occurred for the following ICAs witnessed by our external auditor. Reporting will be consolidated into a single external audit report at the conclusion at the conclusion of the bug.
- QuoVadis QVRCA1G1 SSL ICA
- QuoVadis QVRCA1G3 SSL ICA
- QuoVadis QVRCA3G1 SSL ICA
- QuoVadis QVRCA3G3 SSL ICA
- QuoVadis Swiss Regulated CA G2
Assignee | ||
Comment 9•4 years ago
|
||
The replacement for QuoVadis Qualified Web ICA G2 has been added to the EU Trusted List, so replacement of the end entity certificates from QuoVadis Qualified Web ICA G1 may begin. The revocations and subsequent key destructions will occur for the following CAs in the next week. An update will be provided on Oct 5.
- QuoVadis Europe SSL CA G1
- QuoVadis EV SSL ICA G1
- VR IDENT EV SSL CA 2018
In addition, revocations will occur for OLDER versions of the following Siemens issuing CAs (SHA-256 fingerprint provided). Note, these are NOT the versions that are in current production and are referenced in Comment 7.
- Siemens Issuing CA Internet Code Signing 2016 1B046535378E07D10ACDAA24EEFCE20420BB9A596114EB475CA696357753E925
- Siemens Issuing CA Internet Server 2017 7D33AE618CD62553377D253D2EBCA285D84E98A924D89F98D4BE4FEE31F92AA8
- Siemens Issuing CA EE Auth 2016 940D2F212A2A39CC84BD42D0F6DC4F7BA4C477E7A5A9922C96B9F5EC14E4A6C8
- Siemens Issuing CA EE Auth 2016 5972B9BD471017D5F32705BEE915703626575F8B270A39C1C312C7F9246C10D4
- Siemens Issuing CA Multi Purpose 2016 05BFB6605D48516A571BAF9A7FF75376130470DA5EE7FF684C2672EAA0C0C8AD
- Siemens Issuing CA Medium Strength Authentication 2016 42AB4D9F1809454EBEC245D8DB06FF61AA8289B05A263DFEE9662DAC91666043
- Siemens Issuing CA EE Network Smartcard Auth 2016 37D220A6C7522799021191349C183F917BE1BE8626CF926B0FD6E0A8681EE031
- Siemens Issuing CA EE Enc 2016 ABF3803CD2939E26803E52280A81F67C46C3E0EE75FCDBB1E30FB03A321ACFAD
Assignee | ||
Comment 10•4 years ago
|
||
As noted in Comment 9, the older versions of the affected Siemens CAs have been revoked. The current production versions of these CAS are scheduled for revocation and the final key destruction as in Comment 7
CA | SHA256 |
---|---|
Siemens Issuing CA Internet Code Signing 2016 | 1B046535378E07D10ACDAA24EEFCE20420BB9A596114EB475CA696357753E925 |
Siemens Issuing CA Internet Server 2017 | 7D33AE618CD62553377D253D2EBCA285D84E98A924D89F98D4BE4FEE31F92AA8 |
Siemens Issuing CA EE Auth 2016 | 940D2F212A2A39CC84BD42D0F6DC4F7BA4C477E7A5A9922C96B9F5EC14E4A6C8 |
Siemens Issuing CA EE Auth 2016 | 5972B9BD471017D5F32705BEE915703626575F8B270A39C1C312C7F9246C10D4 |
Siemens Issuing CA Multi Purpose 2016 | 05BFB6605D48516A571BAF9A7FF75376130470DA5EE7FF684C2672EAA0C0C8AD |
Siemens Issuing CA Medium Strength Authentication 2016 | 42AB4D9F1809454EBEC245D8DB06FF61AA8289B05A263DFEE9662DAC91666043 |
Siemens Issuing CA EE Network Smartcard Auth 2016 | 37D220A6C7522799021191349C183F917BE1BE8626CF926B0FD6E0A8681EE031 |
Siemens Issuing CA EE Enc 2016 | ABF3803CD2939E26803E52280A81F67C46C3E0EE75FCDBB1E30FB03A321ACFAD |
As scheduled, revocations and key destructions have occurred for the following CAs (multiple versions of CAS are noted). Reporting will be consolidated into a single external audit report at the conclusion at the conclusion of the bug.
CA | SHA256 |
---|---|
QuoVadis Europe SSL CA G1 | DC8B2DEE50DD478AB135CAC269CEA68851557A9129ABCD98DF5213B23DBFB3CD 89994B6D9D9DDFFF687FABD3E7342CDD8522D661F5EFCE8E6ABDEB25A04F1023 |
VR IDENT EV SSL CA 2018 | BF39A4241F42D522368944B3DC53ED9EAA5AC7735E242E0627C0DD5BBA714484 8C97A008F7CE21F746EAFB2E3AE06095E557D289A310C82C6F3C02D9F721E5F8 |
QuoVadis EV SSL ICA G1 | 3FE8BE392A08684B99F497E618C7DDF5A02A4289BF9D08E595045931BFBA814F 9CE274FFDA0CC48762CB71B12C742049C728E61DFBC0708E3F9C871E9EBDEA22 |
The replacement CA for itsme Sign Issuing CA G1 has not yet been added to the Belgium Trusted List, which is a required precursor to replacement of the end entity certificates. This, however, is being actively pursued.
QuoVadis continues to track to our schedule in Comment 7.
Assignee | ||
Comment 11•4 years ago
|
||
QuoVadis understands that itsme Sign Issuing CA G2 will be added to the Belgium Trusted List in the coming days. QuoVadis continues to track to the schedule in Comment 7. We will provide a next update on revocations and key destructions ~Nov 3.
Assignee | ||
Comment 12•4 years ago
|
||
As scheduled, revocations have occurred for the following CAs (multiple versions of CAS are noted).
CA | SHA256 |
---|---|
QuoVadis Qualified Web ICA G1 | 04ECBA8F92BFF7458C4A5E7C69261FC7E2EF52D5AF54FBDD92B17141BBE0651F 163CD2FCAD0D6A87C8DAFCE056F594F3B53B917C0F925D40D92258EA277FC4F4 |
QuoVadis Swiss Regulated CA G1 | 53570D05E40DC62F9DF91D15AFB015B56AAA680C20CC168E6D57D946C9CE2684 67B6E43E6D54DBBE11595FBA2A809DF98E6B280C0D047840FD93EA38C50E4F98 |
Siemens Issuing CA Internet Server 2017 | 2B2CFAECABF2266FD4FB6505F3342B92514EBE6FA7C08CB6CBD4988F6AFD17BD |
VR IDENT SSL CA 2018 | 502C7A870341D7BE67DB26DBFACF9647AFD89A854BF8812FA4EF70C356EC13E5 E22160364E56F7C27234F5435D8477B1A5BBBA01103298F3954909180DF02778 |
An update will be provided to confirm the revocation of itsme Sign Issuing CA G2 this week, and to confirm the associated key destruction ceremonies.
Assignee | ||
Comment 13•4 years ago
|
||
Revocation has occurred for multiple versions of the following CA (note a typo in comment 12 incorrectly referred to itsme G2 rather than G1):
CA | SHA256 |
---|---|
itsme Sign Issuing CA G1 | C679DA9F1C48C51C08FF1BA253EC6C99FA3203B539CE8B7153FD00B001370869 F640E5643C40C1F329E100438E28C957691AFA8A53E405A326F7AFEB70C23BC1 |
In addition, audited key destruction ceremonies have occurred for QuoVadis Qualified Web ICA G1, QuoVadis Swiss Regulated CA G1, VR IDENT SSL CA 2018, and itsme Sign Issuing CA G1. Reporting will be consolidated into a single external audit report at the conclusion at the conclusion of the bug.
Assignee | ||
Comment 14•4 years ago
|
||
- We scheduled a number of CAs to be revoked on December 31, 2020. In retrospect, this date is problematic due to the seasonal change restrictions at many companies. We propose to complete the CA revocations and key destructions by January 22, 2021. The CAs are:
- QuoVadis Europe Advanced CA G1
- QuoVadis EV SSL ICA G3
- QuoVadis Swiss Advanced CA G3
- HydrantID EV SSL ICA G1
This will conclude the QV-operated CAs included in the bug.
- Similarly, we propose to realign the pending revocation of two Siemens CAs to match the revocation date of the other affected Siemens CAs. We believe this change is warranted as a nontrivial number of the leaf certificates are used in major medical devices. These devices are in heavy demand for COVID treatment, and in some cases replacement requires site visits which Siemens is actively pursuing. To reiterate, we have already revoked the TLS-capable “Siemens Issuing CA Internet Server 2017” CA and will conclude the following revocations by March, followed by audited key destruction of the group of affected Siemens CAs:
- Siemens Issuing CA Internet Code Signing 2016
- Siemens Issuing CA Multi Purpose 2016
- Siemens Issuing CA EE Auth 2016
- Siemens Issuing CA EE Enc 2016
- Siemens Issuing CA EE Network Smartcard Auth 2016
- Siemens Issuing CA Medium Strength Authentication 2016
This will conclude the externally-operated CAs included in the bug.
QuoVadis believes that these changes are reasonable given the scale of the replacement activities, and the underestimated challenges of COVID when the dates were proposed in the summer. The changes do not affect the “end date” of our work.
Although activity related to this bug continues apace, we suggest a next-update of January 7, 2021.
Assignee | ||
Comment 15•4 years ago
|
||
QuoVadis is on track for the schedule described in comment 14. We suggest a next-update of January 7, 2021.
Updated•4 years ago
|
Assignee | ||
Comment 16•4 years ago
|
||
QuoVadis is on track for the schedule described in comment 14.
Assignee | ||
Comment 17•4 years ago
|
||
The following CAs have been revoked and audited key destruction has been completed.
CA | SHA256 |
---|---|
QuoVadis Europe Advanced CA G1 | 3F6267382E09645DBCA74AFEE6CDF71EC432B56EE58078F8B8387D73B7BDB7EC 8E5CEA1D1012521C27A4E11270702BC7C9A1156F135073D6CA4E42EEE826249E |
QuoVadis EV SSL ICA G3 | F18442BEDF70B4D15211356C72B659332BED03FFD3BBA7AFAAABE6DE9D723002 ABB3FF299AA1BAEFC1278818C424388AEF7B29651595C60194E78D943694680B |
QuoVadis Swiss Advanced CA G3 | 31A7C579F24D5562CDB203FA15A9F2C3FF5DC1F2E6BF7C0BD95FBCB0114C8D21 872F9DBB2EFCB0DC7BEC5462FCACEDEB66BEC1BB7446847670128A24878BED29 |
HydrantID EV SSL ICA G1 | 6B43B4C243AA2D99440C0F14BDEC5231EEC63E86AAF2376CA7002028458DC726 |
This completes the termination of the QuoVadis-hosted CAs included in this bug. The independent audit report will be provided when complete.
Further updates will be provided as available on the revocation and key destruction of the Siemens operated CAs described in Comment 14.
Assignee | ||
Comment 18•4 years ago
|
||
We have no updates at this time; next steps are the completion of the audit report for key destructions of the QuoVadis-hosted CAs and revocation of the remaining Siemens CAs.
Assignee | ||
Comment 19•4 years ago
|
||
The remaining Siemens CAs subject to this bug are scheduled for revocation on March 15, 2021.
- Siemens Issuing CA Internet Code Signing 2016
- Siemens Issuing CA Multi Purpose 2016
- Siemens Issuing CA EE Auth 2016
- Siemens Issuing CA EE Enc 2016
- Siemens Issuing CA EE Network Smartcard Auth 2016
- Siemens Issuing CA Medium Strength Authentication 2016
Assignee | ||
Comment 20•4 years ago
|
||
The following external sub CAs have been revoked.
CA Common Name | SHA256 |
---|---|
Siemens Issuing CA EE Enc 2016 | CCA1ABE5B33219DD0E5F39026D09763DB4176ACC73A06644993B1AD314BC238A |
Siemens Issuing CA EE Network Smartcard Auth 2016 | 9C5CCE183132533348931FB2322DA2242EE93275E561604106A4F5A5DF3BB7E1 |
Siemens Issuing CA EE Auth 2016 | B32FD027CE98A8A5B0F0C9074D21847E0124B98179280DC938FCFD1465434941 |
Siemens Issuing CA Medium Strength Authentication 2016 | 6A794BE757CDD3AC57CB8C3E965E990808169077097CA9DB11D3240F85C2EC7B |
Siemens Issuing CA Multi Purpose 2016 | 7C9327E7BFC276FD8E8276AD736D5368D4C7ABD73168BEE96A1FD7E3B0CC342A |
Siemens Issuing CA Internet Code Signing 2016 | 36E2CFFD0EC01BD6C91EEADD84DD8DE50D6A58D4FD8C3596E87FDA0918640B96 |
Audited key destruction will follow on these and previously revoked subCAs operated by Siemens identified in Comment 10 and Comment 12.
This concludes the revocation of all QuoVadis subCAs affected in this bug.
Reporter | ||
Updated•4 years ago
|
Comment 21•4 years ago
|
||
I will schedule this bug to be closed on next Wednesday, 7-Apr-2021.
Updated•4 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Description
•