Closed Bug 1693932 Opened 3 years ago Closed 3 years ago

Microsoft PKI Services: Policy Documentation, Failure to update Domain Validation Method


(CA Program :: CA Certificate Compliance, task)


(Not tracked)



(Reporter: johnmas, Assigned: johnmas)


(Whiteboard: [ca-compliance] [policy-failure])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4407.0 Safari/537.36 Edg/90.0.789.1

Type: enhancement → task
  1. How your CA first became aware of the problem.

Microsoft PKI Services has had an issue brought to our attention regarding our failure to update our “Microsoft PKI Services Certification Practices Statement v3.1.7”.

In Section in regard to Domain Validation, we have not clearly delineated that some of the methods we use have been deprecated. We became aware of this issue on February 10, 2021 during discussions and review related to another Bugzilla task that we are working on 1670337 - Microsoft PKI Services: Certificate Mis-Issuance, DNSNames must have a valid TLD (

  1. A timeline of the actions your CA took in response.

A. 2021-Feb-10 – Andrew Ayer suggested that we open a separate Bugzilla task regarding updating our CPS.
B. 2021-Feb-10 - On the same day, we confirmed that Microsoft PKI Services does not use either deprecated method ( or
C. 2021-Feb-15 - We finalized a new version of the CPS that is currently in the process of review and approval with our Policy Authority.
D. 2021-Feb-19 – We re-confirmed from the Domain Validation Cache that we did not use these methods after their deprecation dates.

  1. Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident.

We never stopped certificate issuance related to the issue, because we were able to verify that our underlying validation processes followed the BR’s at all times.

  1. In a case involving certificates, a summary of the problematic certificates.

We have not discovered any problematic certificates related to this incident. This bug is only related to the structure of the documentation.

  1. In a case involving certificates, the complete certificate data for the problematic certificates.

Not applicable at this point.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Section of our CPS expresses the Domain Validation methods that we have used to validate domains. Our objective was to list all the methods that we have used to validate domains, for all certificates that we have issued and are still currently valid. We have had a discussion with our auditors that we need to include all methods that we have used in our CPS for currently valid certificates. Therefore, we had methods listed which have been deprecated.

After discussion with this community, it was pointed out that other CAs differentiate between methods that are currently used and methods that have been used. And we agree that this is a better approach and more clearly communicates when such methods were used and when, if appropriate, they were deprecated.

  1. List of steps your CA is taking to resolve the situation and ensure that such situation or incident will not be repeated in the future, accompanied with a binding timeline of when your CA expects to accomplish each of these remediation steps.

Further mitigation steps that are planned:

  • Post an updated CPS to our Repository, v3.1.8 with this issue corrected (expected by February 26, 2021)

Thanks for reporting and working on updating your CPS.

Assignee: bwilson → johnmas
Ever confirmed: true
Whiteboard: [ca-compliance]

Microsoft PKI Services has posted an Updated CPS to our Repository (, v3.1.8 with this issue corrected per the discussion above.

We believe that this change reflects a cleaner way to communicate the methods that are used or have been used for Domain Validation.

Flags: needinfo?(bwilson)

While I set N-I to Ben, I did want to confirm:

Have you reviewed your CPS to ensure it reflects what you currently practice, throughout? That is, we use the CPS to measure what a CA is currently doing, and how they may have historically operated is maintained via past versions and the past versions' effective dates. Just wanted to make sure that, holistically, the CPS reflects what Microsoft can or will do, rather than what has or does do.

Flags: needinfo?(johnmas)

Yes, we have. Microsoft PKI Services goal has always been to maintain our CPS’s to reflect what Microsoft can or will do.

In the case of Domain Validation methods, we have noted what we have done previously as there are still valid certificates that used these methods (prior to deprecation), and we are explicit when we stopped using them. We will remove the note on the deprecated methods from our CPS in the next 12 months when there are no longer any valid certificates that had used those methods.

Flags: needinfo?(johnmas)

I'll close this next Wednesday, 7-April-2021 unless there are additional issues to discuss or address.

Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [policy-failure]
You need to log in before you can comment on or make changes to this bug.