Open Bug 2007297 Opened 1 month ago Updated 4 days ago

eMudhra emSign PKI Services: CRL URL Mismatch Between CCADB Disclosure and Issued Certificates

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: naveen.ml, Assigned: naveen.ml)

Details

(Whiteboard: [ca-compliance] [disclosure failure])

Attachments

(1 file)

CCADB_CRL_URL_Corrections.xlsx
18.76 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details

Preliminary Incident Report

Summary

  • Incident description:
    On 19th Dec 2025 01:35 AM, eMudhra received an external report indicating that certain CRL Distribution Point (CRLDP) HTTP URLs appearing in currently-valid certificates do not appear disclosed in the CCADB CRL URL fields, as required by the CCADB Policy. Based on an initial review, the relevant CRLs are present and retrievable, and that the reported issue relates to exact URL string matching and representation differences between certificate-encoded CRLDP URIs and CCADB-disclosed CRL URLs (for example, formatting differences such as ? vs /? and/or http vs https). eMudhra is actively validating the reported CRLDP URLs against the corresponding CCADB records to confirm scope and identify the appropriate remediation and reporting path.

  • Relevant policies:
    CCADB Policy version 2.0 section 6.2: "URLs: MUST match exactly as they appear in the certificates issued by the corresponding CA."

  • Source of incident disclosure:
    External report received via the problem-reporting contact email.

Assignee: nobody → naveen.ml
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [disclosure failure]

Full Incident Report

Summary

  • CA Owner CCADB unique ID:
    A005678

  • Incident description:
    On 19 December 2025, eMudhra received an external report indicating that certain CRL Distribution Point (CRLDP) HTTP URLs appearing in currently-valid certificates did not appear to be disclosed in the corresponding CCADB CRL URL fields, as required by CCADB Policy Section 6.2.
    Initial investigation confirmed that all referenced CRL endpoints were present, accessible, and serving the correct CRL files. The reported concern was traced to differences in exact URL string representation between certificate-encoded CRLDP URIs and CCADB-disclosed CRL URLs (for example, normalization differences such as the presence or absence of a slash following the hostname, or http vs https scheme representation), rather than missing or undisclosed CRLs.

  • Timeline summary: (IST)

    • Non-compliance start date:
      15 July 2025, 00:00:00
    • Non-compliance identified date:
      19 December 2025, 01:35
    • Non-compliance end date:
      31 December 2025, 18:00

  • Relevant policies:
    CCADB Policy v2.0, Section 6.2 – Certificate Revocation List Disclosures

  • Source of incident disclosure:
    External report received via the problem-reporting contact email.

Impact

  • Total number of certificates:
    No certificates were revoked, reissued, or otherwise impacted.
  • Total number of "remaining valid" certificates:
    N/A
  • Affected certificate types:
    CA certificates with CRL Distribution Point URLs disclosed in CCADB.
  • Incident heuristic:
    Compliance and disclosure representation issue (exact URL string matching).
  • Was issuance stopped in response to this incident, and why or why not?:
    No. Certificate issuance and revocation services were not impacted. The issue was limited to CCADB disclosure formatting and did not affect CRL availability or relying party behavior.
  • Analysis:
    As part of the investigation, eMudhra reviewed all CRL URLs disclosed in CCADB for active Issuing CA certificates. This review confirmed that 100 CRL entries had URL representations that did not exactly match the CRL Distribution Point values embedded in the corresponding certificates.
    In all cases:
    • The CRL endpoints were valid and reachable.
    • The CRL content correctly represented revocation state.
    • The differences were limited to URL representation (such as implicit path normalization or http vs https scheme representation), not to the underlying resource.
      The discrepancy occurred because CCADB requires exact string matching, whereas the issuance and publication workflows relied on functional equivalence of URLs rather than strict textual identity. This resulted in CCADB records that technically did not meet policy requirements, even though operational behavior remained correct.
  • Additional considerations:
    No revocation failures, validation failures, or relying-party impact were identified during or prior to this review.

Timeline

All times are IST.
Prior to 19-12-2025: CRL URLs were disclosed in CCADB; differences existed in URL string representation compared to certificate-encoded CRLDP URIs
19-12-2025 01:35: External report received via problem-reporting email alleging that certain CRL URIs were not disclosed in CCADB
19-12-2025 10:00: Report was triaged and forwarded to Compliance and PKI Operations teams for review
19-12-2025 10:35: Acknowledgement sent to the external reporter confirming receipt and investigation
19-12-2025 11:00: Internal incident record created; joint review initiated by Compliance and PKI teams
19-12-2025 11:30: CCADB-disclosed CRL URLs reviewed against CRLDP URIs encoded in the corresponding CA certificates
20-12-2025 13:15: Interim observations documented and shared internally with Policy Authority
21-12-2025 07:04: Initial findings communicated to the external reporter
21-12-2025 18:26: Preliminary incident report submitted in Bugzilla (Bug ID: 2007297)
22-12-2025 09:30: Expanded review initiated to validate all CCADB-disclosed CRL URLs against certificate CRLDP values
23-12-2025 14:00: Differences identified as URL normalization and scheme representation; all CRL endpoints confirmed accessible and serving correct CRL files
25-12-2025 19:55: CCADB records updated to ensure exact URL string alignment with certificate-encoded CRLDP URIs; supporting case documentation submitted
31-12-2025 18:00: All root and issuing CAs' full CRL URLs were reviewed and updated.
01-01-2026: Updated full Incident Report to the case.

Related Incidents

Bug Date Description
2002402 2025-11-25 GoDaddy: Missing R1 Intermediate Full CRL URLs in CCADB.
2007219 2025-12-19 DigiCert: Some certificates issued with CRLDPs that don’t exactly match CCADB disclosures.
2007066 2025-12-19 Disig: Missing CA Disig R2I2 Certification Service Full CRL URLs in CCADB.
2007089 2025-12-19 SHECA: subordinate certificates have not published the complete CRL address in CCADB.
2007072 2025-12-19 TrustAsia: CRL disclosure address incorrectly using HTTPS scheme in CCADB.
2007098 2025-12-19 GlobalSign: misalignment of CRL URL in CCADB with issued certificates.
2007116 2025-12-20 D-Trust: CRL URL Disclosure.
2007216 2025-12-20 GoDaddy: CRL Disclosure in CCADB Mismatch with Issued Certificates.
2007238 2025-12-20 Certigna: CRL URL Disclosure.
2007105 2025-12-19 Asseco DS / Certum: CRL URLs disclosed in CCADB do not exactly match the CRL URLs in certificates.

Root Cause Analysis

Contributing Factor # 1: Exact URL String Equivalence Not Explicitly Verified During Disclosure Review

  • Description:
    While CRL endpoints were validated for availability, correctness, and object consistency, the review process did not explicitly verify byte-for-byte equivalence between certificate-encoded CRLDP URIs and CCADB-disclosed URLs.
  • Timeline:
    CRL URLs were disclosed in CCADB at the time of CA record creation. The discrepancy was identified only after external review on 19 December 2025.
  • Detection:
    Detected through an external report received via the problem-reporting contact email.
  • Interaction with other factors:
    URL normalization behavior at the web server level (such as implicit path normalization or http vs https scheme representation) masked the representation difference during functional validation.
  • Root Cause Analysis methodology used:
    Targeted compliance gap analysis against CCADB Policy Section 6.2.

Lessons Learned

  • What went well:
    CRL endpoints were correctly deployed, accessible, and serving the intended CRL files.
  • What didn’t go well:
    The compliance review focused on functional CRL availability and accessibility, and did not include an explicit check for exact URL string equivalence between certificate-encoded CRLDP URIs and CCADB-disclosed CRL URLs, as required by CCADB Policy Section 6.2.
    Although the CRL endpoints resolved correctly and the referenced CRL files were identical and retrievable, differences in URL representation (such as normalization and scheme formatting) were not identified during the review process.
  • Where we got lucky:
    The discrepancy had no operational, security, or relying-party impact.
    CRL files and endpoints were correct and consistently retrievable.
  • Additional:
    This incident reinforces the need to treat CCADB disclosure requirements as distinct compliance artifacts, separate from operational validation, even when both reference the same technical endpoints.

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Align CCADB CRL URL entries to exactly match the CRL Distribution Point URIs encoded in the corresponding CA certificates, including scheme and path representation Prevent Root Cause # 1 CCADB CRL URLs verified to be string-identical to certificate CRLDP values 2025-12-25 Completed
Add an explicit verification step during CCADB updates to confirm CRL endpoint and file consistency between certificates and CCADB records prior to submission Prevent Root Cause # 1 Verification step documented and applied for all CCADB CRL disclosures 2025-12-31 Completed
Implement automated validation to compare certificate CRLDP values against CCADB records Prevent Root Cause # 1 Exact string match verification enforced 2026-01-10 In Progress

Appendix

CRL URL list is enclosed in the file.

Weekly Status Update

emsign has no updates at this time. We are on track to implement automated validation to compare certificate CRLDP values against CCADB records.

Status Update

We are pleased to report that all action items identified in the incident report have been successfully completed as per the schedule. The details are as follows:

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Align CCADB CRL URL entries to exactly match the CRL Distribution Point URIs encoded in the corresponding CA certificates, including scheme and path representation Prevent Root Cause # 1 CCADB CRL URLs verified to be string-identical to certificate CRLDP values 2025-12-25 Completed
Add an explicit verification step during CCADB updates to confirm CRL endpoint and file consistency between certificates and CCADB records prior to submission Prevent Root Cause # 1 Verification step documented and applied for all CCADB CRL disclosures 2025-12-31 Completed
Implement automated validation to compare certificate CRLDP values against CCADB records Prevent Root Cause # 1 Exact string match verification enforced 2026-01-10 Completed

Weekly Status Update

No further action required at this time.

Weekly Status Update

No further action required at this time.

Weekly Status Update

No further action required at this time.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: