Open Bug 2007089 Opened 7 days ago Updated 4 hours ago

SHECA: subordinate certificates have not published the complete CRL address in CCADB

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: wangjiatai, Assigned: wangjiatai)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

Preliminary Incident Report

Summary

  • Incident Description Some of SHECA's Subordinate certificates do not publish the complete CRL address.

  • Relevant policies: CCADB Policy 6.2

    For each unexpired and unrevoked CA certificate record disclosed to the CCADB and within 7 days of the corresponding CA issuing its first certificate, CA Owners MUST disclose either:

    • the URL of a full and complete Certificate Revocation List (CRL); or
    • a JSON Array of Partitioned CRL URLs.

  • Source of incident disclosure: Third Party Reported.

Due to a configuration error during the initial issuance, some subscriber certificates incorrectly used the Partitioned CRL address in their CRLs.Upon receiving an internal monitoring alert, SHECA immediately corrected the CRLs to full CRLs and configured forwarding rules to forward the incorrectly used Partitioned CRL addresses to the corresponding full CRLs of the Subordinate certificates. However, the Partitioned CRL addresses issued in the subscriber certificates were not disclosed in ccadb.

The subordinate certificates involved are as follows:

Subordinate certificates
CT2 OV TLS RSA CA G2
KeepTrust DV TLS RSA CA G1
SHECA DV TLS RSA CA 1A
SHECA OV TLS RSA CA 1A
Assignee: nobody → wangjiatai
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [disclosure-failure]

Update

A full incident report is expected to be released by December 31, 2025.

You need to log in before you can comment on or make changes to this bug.