Telekom Security / DFN: CRL of “DFN-Verein Certification Authority 2“ contains empty revoked certificate list
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: stefan.kirch, Assigned: stefan.kirch)
Details
(Whiteboard: [ca-compliance] [crl-failure])
Preliminary Incident Report
Summary
-
Incident description:
The CRL of "DFN-Verein Certification Authority 2" does not contain any revoked certificates, but it contains the revokedCertificates as an empty sequence within the tbsCertList. According to RFC5280, revokedCertificates must be absent if there are no revoked certificates. -
Relevant policies:
RFC 5280 Sections 5.1.1.1 and 5.1.2.6 -
Source of incident disclosure:
Third Party Reported
|
||
Updated•2 months ago
|
|
Assignee | |
Comment 1•2 months ago
|
||
Since this non-compliance originates from "DFN-Verein Certification Authority 2", an externally operated Sub-CA, the Full Incident Report will be submitted by DFN ("Verein zur Förderung eines Deutschen Forschungsnetzes e. V."), as DFN is much more involved in the details.
Telekom Security, as Root CA, remains responsible and has worked closely with DFN on the Full Incident Report and will continue to do so in the subsequent bug discussion.
Full Incident Report
Summary
- CA Owner CCADB unique ID: A003385
- Incident description: The CRL of DFN-Verein Certification Authority 2 and of another Sub-CA does not contain any revoked certificates, but contains the element /revokedCertificates (list of revoked certificates)/ as an empty sequence within the tbsCertList. According to RFC5280, /revokedCertificates/ must be absent if there are no revoked certificates.
- Timeline summary:
- Non-compliance start date: 2023-07-03 09:55:04
- Non-compliance identified date: 2026-01-16 20:18:00
- Non-compliance end date: 2026-01-22
- Relevant policies: RFC 5280 Sections 5.1.1.1 and 5.1.2.6
- Source of incident disclosure: Third Party Reported
Impact
-
Total number of certificates: n/a
-
Total number of "remaining valid" certificates: n/a
-
Affected certificate types: n/a
-
Incident heuristic: CRLs located at
http://cdp1.pca.dfn.de/global-root-g2-ca/pub/crl/cacrl.crl
http://cdp2.pca.dfn.de/global-root-g2-ca/pub/crl/cacrl.crl
http://cdp1.pca.dfn.de/tu-ilmenau-g2-ca/pub/crl/cacrl.crl
http://cdp2.pca.dfn.de/tu-ilmenau-g2-ca/pub/crl/cacrl.crl -
Was issuance stopped in response to this incident, and why or why not?: The affected PKI hierarchy will be discontinued. Issuance has stopped already on 2023-08-31.
-
Analysis:
-
Additional considerations: DFN is operating an intermediate CA and several Sub-CAs, see
https://crt.sh/?caid=22818. This incident affects CRLs issued for certification authorities in this PKI hierarchy without non-expired revoked certificates.
Timeline
- 2022-10: DFN decides to redesign the mechanisms for issuing CRLs. Development of new software component starts. During development, a bug was introduced that made it possible to include an empty revokedCertificates list in CRLs.
- 2023-06-26: DFN puts new software component for issuing CRLs in production.
- 2023-07-03 09:55:04: DFN creates the first non-compliant CRL with new software component for
http://cdp1.pca.dfn.de/global-root-g2-ca/pub/crl/cacrl.crl
http://cdp2.pca.dfn.de/global-root-g2-ca/pub/crl/cacrl.crl - 2024-12-09 20:22:05: Another CRL is affected:
http://cdp1.pca.dfn.de/tu-ilmenau-g2-ca/pub/crl/cacrl.crl
http://cdp2.pca.dfn.de/tu-ilmenau-g2-ca/pub/crl/cacrl.crl - 2026-01-16 20:18:00: Google Chrome informs Telekom Security about the potential CA/Browser Forum TLS BR Non-compliance
- 2026-01-16 21:06: Telekom Security acknowledges the receipt of the problem report to Google Chrome
- 2026-01-16 21:15: Telekom Security informs DFN about the potential CA/Browser Forum TLS BR Non-compliance regarding the format of one of our CRLs.
- 2026-01-16 21:31: DFN acknowledges the receipt of the problem report to Telekom Security
- 2026-01-17 08:00: DFN starts investigation
- 2026-01-19 15:10: Telekom Security files Preliminary Incident Report
- 2026-01-22 09:58: DFN issues compliant CRL for http://cdp1/cdp2.pca.dfn.de/global-root-g2-ca/pub/crl/cacrl.crl
- 2026-01-22 10:12: DFN issues compliant CRL for http://cdp1/cdp2.pca.dfn.de/tu-ilmenau-g2-ca/pub/crl/cacrl.crl
Related Incidents
| Bug | Date | Description |
|---|---|---|
| 1888689 | 2024-03-29 | CRL non-conformance with the TLS BRs |
| 1889217 | 2024-04-02 | CRL non-conformance with the TLS BRs |
Root Cause Analysis
Contributing Factor 1: Specification for new software component not detailed enough
- Description: The specification (and thus the testing) of a new software component did not contain a concrete reference to the details in chapter 5.1 from RFC5860.
- Timeline: From 2022-10 up to now
- Detection: Detected during investigation of the incident
- Interaction with other factors: Factor 2 could have mitigated the impact of 1
Contributing Factor 2: No CRL linting
- Description: In the affected PKI hierarchy, no CRL linting is implemented. However, to the best of DFNs knowledge general CRL linting capability was not common in 2022/2023. Both pkilint and zlint seem to have added a revoked_certificates_field_empty check in the course of 2024. So, DFN could have detected and stopped the non-compliance in 2024.
- Timeline: From 2022-10 up to now
- Detection: Detected during investigation of the incident
- Interaction with other factors: -
Lessons Learned
- What went well: n/a
- What didn’t go well: Introduction of CRL linting was omitted
- Where we got lucky: n/a
- Additional: n/a
Action Items
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Create fix for software | Mitigate | Root Cause # 1 | Software installed in testing environment | 2026-01-21 | Complete |
| Publish compliant CRL | Mitigate | Root Cause # 1 | Compliant CRL issued and published | 2026-01-22 | Complete |
| Enhance depth of software specification | Prevent | Root Cause # 1 | Revised software specification is available | 2026-02-20 | Ongoing |
| Implement CRL linting | Detect | Root Cause # 2 | CRL linting is operational | 2026-04-30 | Ongoing |
Appendix
|
|
Assignee | |
Comment 3•2 months ago
|
||
We monitor this bug or feedback.
If there are currently no questions or comments, we would like to request to set the Next Update field to 20.02.2026 (due date of Actiom Item #3).
|
|
Assignee | |
Comment 4•1 month ago
|
||
We are monitoring this bug for feedback. Please let us know if there are any comments or questions.
DFN completed Action Item "Enhance depth of software specification".
Work on "Implement CRL linting" is progressing.
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Create fix for software | Mitigate | Root Cause # 1 | Software installed in testing environment | 2026-01-21 | Complete |
| Publish compliant CRL | Mitigate | Root Cause # 1 | Compliant CRL issued and published | 2026-01-22 | Complete |
| Enhance depth of software specification | Prevent | Root Cause # 1 | Revised software specification is available | 2026-02-20 | Complete |
| Implement CRL linting | Detect | Root Cause # 2 | CRL linting is operational | 2026-04-30 | Ongoing |
|
|
Assignee | |
Comment 6•1 month ago
|
||
We monitor this bug or feedback.
If there are currently no questions or comments, we would like to request to set the Next Update field to 2026-04-30 (due date of Actiom Item #4).
|
|
||
Updated•1 month ago
|
DFN completed Action Item "Implement CRL linting".
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Create fix for software | Mitigate | Root Cause # 1 | Software installed in testing environment | 2026-01-21 | Complete |
| Publish compliant CRL | Mitigate | Root Cause # 1 | Compliant CRL issued and published | 2026-01-22 | Complete |
| Enhance depth of software specification | Prevent | Root Cause # 1 | Revised software specification is available | 2026-02-20 | Complete |
| Implement CRL linting | Detect | Root Cause # 2 | CRL linting is operational | 2026-04-30 | Complete |
|
|
Assignee | |
Comment 8•1 month ago
|
||
Report Closure Summary
-
Incident description:
The CRL of "DFN-Verein Certification Authority 2" did not contain any revoked certificates, but it contained the revokedCertificates as an empty sequence within the tbsCertList. According to RFC5280, revokedCertificates must be absent if there are no revoked certificates. -
Incident Root Cause(s):
Contributing Factor 1: The specification of a new software component was not sufficient.
Contributing Factor 2: CRL linting was not implemented. -
Remediation description:
To fix the bug, the software was updated at short notice. To avoid a permanent recurrence of the error, the specification of the software has been improved and CRL linting has been implemented. -
Commitment summary:
We will continuously review and improve our processes, documentation and quality assurance and sensitize our employees with regard to these matters.
All Action Items disclosed in this report have been completed as described, and we request its closure.
|
|
||
Comment 9•26 days ago
|
||
This is a final call for comments or questions on this Incident Report.
Otherwise, it will be closed on approximately 2026-03-17.
|
|
||
Updated•19 days ago
|
Description
•