Closed Bug 1981380 Opened 5 months ago Closed 5 months ago

SHECA: Issuing with OV Policy OID but not an OV cert

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1946921

People

(Reporter: jrmoir, Assigned: wangjiatai)

Details

(Whiteboard: [ca-compliance] [dv-misissuance] [external])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0

Steps to reproduce:

SHECA / Shanghai Electronic Certification Authority Co., Ltd. appear to have issued a few certs that claim to be OV (using policy OID 2.23.140.1.2.2) but contain only a C and CN in Subject:
https://crt.sh/?id=16535669659
https://crt.sh/?id=16546315389
https://crt.sh/?id=16556132396

They seem to be revoked, but were still mis-issued.

I see also that the CA is signed by Certum/Asseco, I would expect them to review and add comments.

Assignee: nobody → wangjiatai
Type: defect → task
Whiteboard: [ca-compliance] [dv-misissuance] [external]

(In reply to JR Moir from comment #0)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0

Steps to reproduce:

SHECA / Shanghai Electronic Certification Authority Co., Ltd. appear to have issued a few certs that claim to be OV (using policy OID 2.23.140.1.2.2) but contain only a C and CN in Subject:
https://crt.sh/?id=16535669659
https://crt.sh/?id=16546315389
https://crt.sh/?id=16556132396

They seem to be revoked, but were still mis-issued.

I see also that the CA is signed by Certum/Asseco, I would expect them to review and add comments.

Hello!

Regarding the issue of the three incorrectly issued certificates mentioned in your case, SHECA has already provided a detailed explanation in a previous case.
https://bugzilla.mozilla.org/show_bug.cgi?id=1946921

The issue occurred because the administrator mistakenly applied the OV (Organization Validation) template to the DV (Domain Validation) certificate product during the configuration process. SHECA has urgently fixed this issue, and the certificates issued afterward are correct. Additionally, SHECA has conducted a full scan of all certificates related to the issue you mentioned and confirmed that no similar problems exist.

If you have any other questions, please feel free to let me know!

(In reply to JR Moir from comment #0)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0

Steps to reproduce:

SHECA / Shanghai Electronic Certification Authority Co., Ltd. appear to have issued a few certs that claim to be OV (using policy OID 2.23.140.1.2.2) but contain only a C and CN in Subject:
https://crt.sh/?id=16535669659
https://crt.sh/?id=16546315389
https://crt.sh/?id=16556132396

They seem to be revoked, but were still mis-issued.

I see also that the CA is signed by Certum/Asseco, I would expect them to review and add comments.

SHECA checked all valid SSL certificates using the lint tool today and found no certificates with the same issue. If you have any clues about this, please let us know!

SHECA has confirmed that no relevant issues are present in the case and requests its closure.

We believe this should be marked as INVALID given the existence of https://bugzilla.mozilla.org/show_bug.cgi?id=1946921.

Nevertheless, we appreciate the reporter's participation in the public incident reporting process, and for SHECA's timely responses.

Flags: needinfo?(incident-reporting)
Status: UNCONFIRMED → RESOLVED
Closed: 5 months ago
Duplicate of bug: 1946921
Flags: needinfo?(incident-reporting)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.