Open Bug 2007221 Opened 1 month ago Updated 3 days ago

Microsoft PKI Services: Improper Disclosure of CRL

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: CentralPKI, Assigned: CentralPKI)

Details

(Whiteboard: [ca-compliance] [disclosure failure])

Preliminary Incident Report

Summary

  • Incident description: In August 2025, Microsoft PKI Services created twelve (12) new Certification Authorities (CAs) and added them to the CCADB.

    In September, we opened Bugzilla 1990801 – Microsoft: improper disclosure of CRL after identifying that the JSON Array of Partitioned CRL URLs for one of the newly created CAs had been incorrectly formatted, resulting in a violation of Section 6.2 of the CCADB Policy. To resolve that bug, we removed the JSON array and instead listed the full (non‑partitioned) CRL URL for each of the 12 affected CAs.

    On 2025‑12‑18 at ~12:02 PM PST, Microsoft PKI Services received a Certificate Problem Reporting email indicating that we may still be in violation of Section 6.2. The reporter examined six recently issued certificates (from two of the twelve CAs) and observed that the CRL Distribution Point (CDP) URLs contained in the certificates were partitioned CRL URLs, which were not listed in CCADB.

    Following investigation, we determined that the correct approach to comply with Section 6.2 is to disclose the JSON Array of Partitioned CRL URLs in CCADB for all twelve CAs, rather than relying on a single full CRL URL.

    On 2025‑12‑19 at ~2:03 PM PST, Microsoft PKI Services updated all twelve CAs in CCADB to include the full JSON Array of Partitioned CRL URLs.

  • Relevant policies:
    Section 6.2 of CCADB Policy: Certificate Revocation List Disclosures

  • Source of incident disclosure:
    Microsoft PKI Services was notified via Certificate Problem Reporting email on 2025-12-18 at ~12:02 PM PST.

Assignee: nobody → CentralPKI
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [disclosure failure]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A002577
  • Incident description:

In August 2025, Microsoft PKI Services created twelve (12) new Certification Authorities (CAs) and added them to the CCADB (See Appendix for specifics).

In September, we opened Bugzilla 1990801 – Microsoft: improper disclosure of CRL after identifying that the JSON Array of Partitioned CRL URLs for one of the newly created CAs had been incorrectly formatted, resulting in a violation of Section 6.2 of the CCADB Policy. To resolve that bug, we removed the JSON array and instead listed the full CRL URL for each of the 12 affected CAs.

On 2025‑12‑18 at ~12:02 PM PST, Microsoft PKI Services received a Certificate Problem Reporting email indicating that we may still be in violation of Section 6.2. The reporter examined six recently issued certificates (from two of the twelve CAs) and observed that the CRL Distribution Point (CDP) URLs contained in the certificates were partitioned CRL URLs, which were not listed in CCADB (Please note: all CRL URLs listed in certificates correctly resolved to the applicable CRL, the issue is that not all listed CRLs were published in CCADB).

Following investigation, we determined that the correct approach to comply with Section 6.2 is to disclose the JSON Array of Partitioned CRL URLs in CCADB for all twelve CAs, rather than relying on a single full CRL URL.

On 2025‑12‑19 at ~2:03 PM PST, Microsoft PKI Services updated all twelve CAs in CCADB to include the full JSON Array of Partitioned CRL URLs.

  • Timeline summary:

    • Non-compliance start date: 2025-09-23
    • Non-compliance identified date: 2025-12-18 ~12:02 PM PST
    • Non-compliance end date: 2025‑12‑19 ~2:03 PM PST

  • Relevant policies: Section 6.2 of CCADB Policy: Certificate Revocation List Disclosures (https://www.ccadb.org/policy#62-certificate-revocation-list-disclosures)

  • Source of incident disclosure: Microsoft PKI Services was notified via Certificate Problem Reporting email on 2025-12-18 at ~12:02 PM PST.

Impact

  • Total number of certificates: 0
  • Total number of "remaining valid" certificates: N/A
  • Affected certificate types: N/A
  • Incident heuristic: N/A
  • Was issuance stopped in response to this incident, and why or why not? N/A
  • Analysis: N/A
  • Additional considerations: N/A

Timeline

  • 2025-09-23 – MS PKI Services Added 12 new CA certs to CCADB and updated Metadata (including CRL information)

  • 2025-09-25 – MS PKI Services was notified via email Problem Report that there was an issue with 1 of the 12 Partitioned JSON Array’s that we updated in CCADB

  • 2025-09-25 – MS PKI Services investigated the Problem Report and resolved the JSON Array issue for the CA in question.

  • 2025-12-18 – MS PKI Services received a problem report specific to 2 of the 12 CAs mentioned above. The CRLs listed in the certificates issued by these CAs were not listed in CCADB.

  • 2025-12-19 - MS PKI Services mitigated the issue by posting the JSON Array of partitioned CRLs in CCADB.

Related Incidents

Bug Date Description
2007089 2025-12-19 SHECA: subordinate certificates have not published the complete CRL address in CCADB
2007105 2025-12-19 Asseco DS / Certum: CRL URLs disclosed in CCADB do not exactly match the CRL URLs in certificates
2007238 2025-12-20 Certigna: CRL URL Disclosure
2007098 2025-12-19 GlobalSign: misalignment of CRL URL in CCADB with issued certificates
2007116 2025-12-19 D-Trust: CRL URL Disclosure
2007297 2025-12-21 eMudhra emSign PKI Services: CRL URL Mismatch Between CCADB Disclosure and Issued Certificates
2007072 2025-12-19 TrustAsia: CRL disclosure address incorrectly using HTTPS scheme in CCADB
2007066 2025-12-18 Disig: Missing CA Disig R2I2 Certification Service Full CRL URLs in CCADB
2007216 2025-12-19 GoDaddy: CRL Disclosure in CCADB Mismatch with Issued Certificates

Root Cause Analysis

  • Contributing Factor #1 We incorrectly interpreted the best way to comply with Section 6.2 of the CCADB Policy in September 2025 when we updated these CAs in CCADB.

    • Description: In a previous incident specific to Section 6.2, we focused on the errors inherent in MANUALLY updating CCADB and determined the best course of action was to keep it simple and post Full CRLs (as the policy has an “OR” selection). What we failed to consider is that the Section as a WHOLE focuses on what will be published in the issued certificates. After this Problem Report that fact stood out to us and we have now updated our process for CAs with partitioned CRLs to post the JSON Array.

  • Timeline:

    • 2025-09-23 – As described in 1990801 - Microsoft: improper disclosure of CRL we updated CRLs in CCADB for the first 12 CAs that Microsoft PKI Services has created with partitioned CRLs.. This was the start of non-compliance.
    • 2025-09-25 – We resolved the improper JSON Array issue by reverting to FULL CRLs in CCADB. We now understand that was problematic, while it helped to mitigate the errors in posting erroneous JSON Arrays, it did not address all the requirements of Section 6.2.
    • 2025-12-19 – We resolved the non-compliance by updating our process for posting JSON Arrays manually to CCADB and updating the 12 CAs that had this issue in CCADB.

  • Detection: Incident investigation.

  • Interaction with other factors: Primary issue is in considering Section 6.2 as a whole and compliance with all parts of the Section.

  • Root Cause Analysis methodology used: 5 Whys

Lessons Learned

  • What went well: All CRLs are current and up to date (before and after the incident).
  • What didn’t go well: Improper disclosure of all of the CRLs that are published in our certificates in CCADB.
  • Where we got lucky: We were notified of this compliance issue by a third party.
  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Update CRL JSON Array in CCADB for the 12 CAs in question Mitigate Root Cause # 1 12 CAs are updated in CCADB with JSON Array of CRL URLs that are published in issued certificates. 2025-12-19 Complete
Update process to post CRL JSON Arrays in CCADB to avoid incidents like we had in Sept 2025 (improper JSON issue) Mitigate Root Cause #1 Internal process for team to follow is updated and documented. 2025-12-19 Complete
Investigate to ensure all CAs disclosed have the correct CDPs listed Mitigate Root Cause #1 Complete internal review to ensure that all posted CRLs in CCADB are properly disclosed, to date we have only identified 12 CAs. 2026-1-09 In Process
Add detection capabilities to ensure CRLs posted in CCADB are what we are publishing in Certificates Detect Root Cause #1 Tools and/or processes in place to ensure we quickly detect and mitigate any future CDPs that are not disclosed in CCADB 2026-2-20 In Process

Appendix

Twelve CAs with Improper Disclosure of CRLs in CCADB are listed here:

CA Name CA Certificate
Microsoft TLS G2 RSA CA OCSP 02 http://www.microsoft.com/pkiops/certs/microsoft%20tls%20g2%20rsa%20ca%20ocsp%2002.crt
Microsoft TLS G2 RSA CA OCSP 04 http://www.microsoft.com/pkiops/certs/microsoft%20tls%20g2%20rsa%20ca%20ocsp%2004.crt
Microsoft TLS G2 RSA CA OCSP 06 http://www.microsoft.com/pkiops/certs/microsoft%20tls%20g2%20rsa%20ca%20ocsp%2006.crt
Microsoft TLS G2 RSA CA OCSP 08 http://www.microsoft.com/pkiops/certs/microsoft%20tls%20g2%20rsa%20ca%20ocsp%2008.crt
Microsoft TLS G2 RSA CA OCSP 10 http://www.microsoft.com/pkiops/certs/microsoft%20tls%20g2%20rsa%20ca%20ocsp%2010.crt
Microsoft TLS G2 RSA CA OCSP 12 http://www.microsoft.com/pkiops/certs/microsoft%20tls%20g2%20rsa%20ca%20ocsp%2012.crt
Microsoft TLS G2 RSA CA OCSP 14 http://www.microsoft.com/pkiops/certs/microsoft%20tls%20g2%20rsa%20ca%20ocsp%2014.crt
Microsoft TLS G2 RSA CA OCSP 16 http://www.microsoft.com/pkiops/certs/microsoft%20tls%20g2%20rsa%20ca%20ocsp%2016.crt
Microsoft TLS G2 ECC CA OCSP 02 http://www.microsoft.com/pkiops/certs/microsoft%20tls%20g2%20ecc%20ca%20ocsp%2002.crt
Microsoft TLS G2 ECC CA OCSP 04 http://www.microsoft.com/pkiops/certs/microsoft%20tls%20g2%20ecc%20ca%20ocsp%2004.crt
Microsoft TLS G2 ECC CA OCSP 06 http://www.microsoft.com/pkiops/certs/microsoft%20tls%20g2%20ecc%20ca%20ocsp%2006.crt
Microsoft TLS G2 ECC CA OCSP 08 http://www.microsoft.com/pkiops/certs/microsoft%20tls%20g2%20ecc%20ca%20ocsp%2008.crt

FIR Update

During our investigation into the Action Item, "all CAs disclosed having the correct CDPs", we discovered on 2025-01-06 that we have additional syntax issues with the CRL URLs posted in CCADB. These were discovered when we checked the CRL Watch tool.

There are 3 issues currently identified in the tool with respect to 20 Issuer IDs. The 3 issues are “Issuing Distribution Point (IDP) does not contain expected URL”, “unsupported protocol scheme” and “does not match CA subject”. Appendix B below lists the specific issues identified.

Microsoft PKI Services is working through remediation of these issues now, and we have updated Action Items below.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Update CRL JSON Array in CCADB for the 12 CAs in question Mitigate Root Cause # 1 12 CAs are updated in CCADB with JSON Array of CRL URLs that are published in issued certificates. 2025-12-19 Complete
Update process to post CRL JSON Arrays in CCADB to avoid incidents like we had in Sept 2025 (improper JSON issue) Mitigate Root Cause #1 Internal process for team to follow is updated and documented. This is specific to the issue related to improper JSON Array formatting. 2025-12-19 Complete
Investigate to ensure all CAs disclosed have the correct CDPs listed Mitigate Root Cause #1 Complete internal review to ensure that all posted CRLs in CCADB are properly disclosed, to date we have only identified 12 CAs. 2026-1-30 In Process
Add detection capabilities to ensure CRLs posted in CCADB are what we are publishing in Certificates Detect Root Cause #1 Tools and/or processes in place to ensure we quickly detect and mitigate any future CDPs that are not disclosed in CCADB 2026-2-20 In Process
Check that ALL CDPs disclosed in CCADB for all CAs, are byte for byte identical to the CRL URLs that are listed in Issued Certificates Detect Root Cause #1 Complete internal review to ensure that all posted CRLs (from all MPS CAs) in CCADB are byte for byte identical to the CRL URLs that are listed in Issued Certificates. 2026-1-16 In Process
Update process to post CRL URLs in CCADB to ensure they are byte for byte identical to what is posted in Issued Certificates. Mitigate Root Cause #1 Internal process for team to follow is updated and documented. This is related to the issue where the URLs are not byte for byte identical to each other. 2026-1-30 In Process
Update all CRL URLs in CCADB that have identified syntax issues. Mitigate Root Cause #1 Repair all identified syntax issues in CCADB 2026-1-30 In Process

Appendix B – CA Issues in CRL Watch

Syntax Issue Type Issuer ID in CRL Watch Related CA
IDP does not contain expected URL 261349 Microsoft Azure ECC TLS Issuing CA 03
IDP does not contain expected URL 416992 Microsoft TLS G2 RSA CA OCSP 04
IDP does not contain expected URL 416996 Microsoft TLS G2 RSA CA OCSP 02
IDP does not contain expected URL 423930 Microsoft TLS G2 RSA CA OCSP 12
IDP does not contain expected URL 423927 Microsoft TLS G2 ECC CA OCSP 04
IDP does not contain expected URL 423931 Microsoft TLS G2 RSA CA OCSP 14
IDP does not contain expected URL 421530 Microsoft TLS G2 ECC CA OCSP 02
IDP does not contain expected URL 423928 Microsoft TLS G2 ECC CA OCSP 08
IDP does not contain expected URL 423929 Microsoft TLS G2 RSA CA OCSP 08
IDP does not contain expected URL 416994 Microsoft TLS G2 RSA CA OCSP 10
IDP does not contain expected URL 416993 Microsoft TLS G2 RSA CA OCSP 06
IDP does not contain expected URL 416995 Microsoft TLS G2 RSA CA OCSP 16
IDP does not contain expected URL 421572 Microsoft TLS G2 ECC CA OCSP 06
unsupported protocol scheme 432537 Microsoft TLS G1 RSA CA 01
unsupported protocol scheme 432447 Microsoft TLS G1 RSA CA 03
unsupported protocol scheme 432170 Microsoft TLS G1 RSA CA 02
unsupported protocol scheme 432171 Microsoft TLS G1 ECC CA 02
unsupported protocol scheme 432445 Microsoft TLS G1 RSA CA 04
unsupported protocol scheme 432534 Microsoft TLS G1 ECC CA 01
does not match CA subject 108775 Microsoft ECC Root Certificate Authority 2017

(In reply to Microsoft PKI Services from comment #2)

FIR Update

During our investigation into the Action Item, "all CAs disclosed having the correct CDPs", we discovered on 2025-01-06 that we have additional syntax issues with the CRL URLs posted in CCADB. These were discovered when we checked the CRL Watch tool.

There are 3 issues currently identified in the tool with respect to 20 Issuer IDs. The 3 issues are “Issuing Distribution Point (IDP) does not contain expected URL”, “unsupported protocol scheme” and “does not match CA subject”. Appendix B below lists the specific issues identified.

Those are separate incidents and should be filed within 72 hours of your discovery. During the incident report it would be worth noting why this was overlooked despite multiple overlapping incidents by yourselves for this time period.

Response to Comment 3 - Wayne

FIR Update
During our investigation into the Action Item, "all CAs disclosed having the correct CDPs", we discovered on 2025-01-06 that we have additional syntax issues with the CRL URLs posted in CCADB. These were discovered when we checked the CRL Watch tool.
There are 3 issues currently identified in the tool with respect to 20 Issuer IDs. The 3 issues are “Issuing Distribution Point (IDP) does not contain expected URL”, “unsupported protocol scheme” and “does not match CA subject”. Appendix B below lists the specific issues identified.

Those are separate incidents and should be filed within 72 hours of your discovery. During the incident report it would be worth noting why this was overlooked despite multiple overlapping incidents by yourselves for this time period.

We agree with your suggestion. In response we have opened the following Bugzilla’s to track each issue individually:

2009539 - Microsoft PKI Services: Improper Disclosure of CRLs – IDP – Existing CAs
2009542 - Microsoft PKI Services: Improper Disclosure of CRLs – IDP – New CAs
2009543 - Microsoft PKI Services: Improper Disclosure of CRLs – Does Not Match CA Subject
2009543 - Microsoft PKI Services: Improper Disclosure of CRLs – Does Not Match CA Subject

We will follow CCADB IRG for these Bugzillas.

Weekly Status Update

In our previous FIR update, we noted additional syntax issues related to our CRLs. Per the suggestion of Wayne in Comment 3 we have opened individual Bugzilla entries for each issue identified in CRL Watch to ensure targeted remediation. These new bugs will track fixes for the three syntax-related problems—“Issuing Distribution Point (IDP) does not contain expected URL”, “unsupported protocol scheme” and “does not match CA subject” While these bugs address specific findings, we are reverting to the original repair items for this bug to maintain alignment with our broader remediation plan and process improvements for this specific issue.

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Update CRL JSON Array in CCADB for the 12 CAs in question Mitigate Root Cause #1 12 CAs are updated in CCADB with JSON Array of CRL URLs that are published in issued certificates. 2025-12-19 Complete
Update process to post CRL JSON Arrays in CCADB to avoid incidents like we had in Sept 2025 (improper JSON issue) Mitigate Root Cause #1 Internal process for team to follow is updated and documented. This is specific to the issue related to improper JSON Array formatting. 2025-12-19 Complete
Investigate to ensure all CAs disclosed have the correct CDPs listed Mitigate Root Cause #1 Complete internal review to ensure that all posted CRLs in CCADB are properly disclosed. To date we have only identified 12 CAs. 2026-01-30 In Process
Add detection capabilities to ensure CRLs posted in CCADB are what we are publishing in Certificates Detect Root Cause #1 Tools and/or processes in place to ensure we quickly detect and mitigate any future CDPs that are not disclosed in CCADB 2026-02-20 In Process

Correction to Comment 4

We agree with your suggestion. In response we have opened the following Bugzilla’s to track each issue individually:
• 2009539 - Microsoft PKI Services: Improper Disclosure of CRLs – IDP – Existing CAs
• 2009542 - Microsoft PKI Services: Improper Disclosure of CRLs – IDP – New CAs
• 2009543 - Microsoft PKI Services: Improper Disclosure of CRLs – Does Not Match CA Subject
• 2009543 - Microsoft PKI Services: Improper Disclosure of CRLs – Does Not Match CA Subject

We added a duplicate link for Bugzilla 2009543. Please note that the 4th bug is:

2009545 - Microsoft PKI Services: Improper Disclosure of CRLs – Protocol Scheme

Weekly Status Update

We are actively working on all repair items mentioned in the Full incident report. Please note that for the items marked complete they are specific to the issue being discussed in this Bugzilla (JSON Array for partitioned CA). Additional issues related to the disclosure of the CRLs currently exist for these CAs. The remediation for them will be tackled in the appropriate Bugzilla that have been opened.

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Update CRL JSON Array in CCADB for the 12 CAs in question Mitigate Root Cause #1 12 CAs are updated in CCADB with JSON Array of CRL URLs that are published in issued certificates. 2025-12-19 Complete
Update process to post CRL JSON Arrays in CCADB to avoid incidents like we had in Sept 2025 (improper JSON issue) Mitigate Root Cause #1 Internal process for team to follow is updated and documented. This is specific to the issue related to improper JSON Array formatting. 2025-12-19 Complete
Investigate to ensure all CAs disclosed have the correct CDPs listed Mitigate Root Cause #1 Complete internal review to ensure that all posted CRLs in CCADB are properly disclosed. To date we have only identified 12 CAs. 2026-01-30 In Process
Add detection capabilities to ensure CRLs posted in CCADB are what we are publishing in Certificates Detect Root Cause #1 Tools and/or processes in place to ensure we quickly detect and mitigate any future CDPs that are not disclosed in CCADB. 2026-02-20 In Process

Weekly Status Update

We are actively working on all repair items mentioned in the Full incident report. No new changes at this time.

Weekly Status Update

We are actively working on all repair items mentioned in the Full incident report. The due date for action item #3 has been extended to February 20th to allow additional time to complete internal reviews of CCADB-disclosed information.

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Update CRL JSON Array in CCADB for the 12 CAs in question Mitigate Root Cause #1 12 CAs are updated in CCADB with JSON Array of CRL URLs that are published in issued certificates. 2025-12-19 Complete
Update process to post CRL JSON Arrays in CCADB to avoid incidents like we had in Sept 2025 (improper JSON issue) Mitigate Root Cause #1 Internal process for team to follow is updated and documented. This is specific to the issue related to improper JSON Array formatting. 2025-12-19 Complete
Investigate to ensure all CAs disclosed have the correct CDPs listed Mitigate Root Cause #1 Complete internal review to ensure that all posted CRLs in CCADB are properly disclosed. To date we have only identified 12 CAs. 2026-02-20 In Progress
Add detection capabilities to ensure CRLs posted in CCADB are what we are publishing in Certificates Detect Root Cause #1 Tools and/or processes in place to ensure we quickly detect and mitigate any future CDPs that are not disclosed in CCADB 2026-02-20 In Progress

Weekly Status Update

Action Item #4 has been completed. We are actively working to complete the repair item #3 by the specified due date.

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
#1 - Update CRL JSON Array in CCADB for the 12 CAs in question Mitigate Root Cause # 1 12 CAs are updated in CCADB with JSON Array of CRL URLs that are published in issued certificates. 2025-12-19 Complete
#2 - Update process to post CRL JSON Arrays in CCADB to avoid incidents like we had in Sept 2025 (improper JSON issue) Mitigate Root Cause # 1 Internal process for team to follow is updated and documented. This is specific to the issue related to improper JSON Array formatting. 2025-12-19 Complete
#3 - Investigate to ensure all CAs disclosed have the correct CDPs listed Mitigate Root Cause # 1 Complete internal review to ensure that all posted CRLs in CCADB are properly disclosed. To date we have only identified 12 CAs. 2026-02-20 In Progress
#4 - Add detection capabilities to ensure CRLs posted in CCADB are what we are publishing in Certificates Detect Root Cause # 1 Tools and/or processes in place to ensure we quickly detect and mitigate any future CDPs that are not disclosed in CCADB. 2026-02-20 Complete
You need to log in before you can comment on or make changes to this bug.