Open Bug 2034360 Opened 1 month ago Updated 7 days ago

GlobalSign: CRL Distribution Point URLs incomplete for Cross-Certified Root CAs in CCADB records

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: christophe.bonjean, Assigned: christophe.bonjean)

Details

(Whiteboard: [close on 2026-06-01] [ca-compliance] [disclosure-failure])

Preliminary Incident Report

Summary

  • Incident description:
    The CCADB "JSON Array of all Full CRL URLs" values for 6 Cross-Certified Root CAs were incomplete compared to the Self-signed versions of the same Root CAs.

The following Cross-Certified Root CA CCADB records included a subset (but not the complete set) of the CRL URLs of the Self-Signed versions of the same Root CAs.

GlobalSign Root R1 -> GlobalSign Root R3 (2009)

GlobalSign Root R1 -> GlobalSign Root R3 (2018)

GlobalSign Root R1 -> GlobalSign Root R5

GlobalSign Root R1 -> GTS Root R1

GlobalSign Root R1 -> GTS Root R4

GlobalSign Root R3 -> GlobalSign Root R5

The records have been updated and we will provide a full incident report by 2026-04-30.

  • Relevant policies: CCADB Policy section 6.2: "For any unexpired and unrevoked CA certificate disclosed to the CCADB, CA Owners MUST disclose, in a JSON array, the complete set of distinct HTTP URLs appearing in the crlDistributionPoints extension of the unexpired certificates issued by that CA"

  • Source of incident disclosure: Self Reported

Assignee: nobody → christophe.bonjean
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [disclosure-failure]

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000027

  • Incident description: The CCADB "JSON Array of all Full CRL URLs" values for 6 Cross-Certified Root CAs were incomplete compared to the Self-signed versions of the same Root CAs.

  • Timeline summary:

    • Non-compliance start date: 2026-03-20 6 Cross-Certified Root CAs are not in line with the new CCADB policy to disclose all CDP of certificates issued by them

    • Non-compliance identified date: 2026-04-20 Internal review identifies the issue

    • Non-compliance end date: 2026-04-22 CCADB records updated

  • Relevant policies:

    • CCADB Policy Section 1: "CA Owners have an overarching responsibility to keep the information in the CCADB about themselves, their operations, and their certificates accurate, and to make updates in a timely fashion. Minimally, CA Owners with certificates included in a Root Store MUST ensure their information stored in the CCADB is kept up to date as changes occur. This responsibility includes the timely population of new data fields or values added to the CCADB. When a timeline is not defined for a requirement specified in this policy, updates MUST be submitted to the CCADB within 14 calendar days of an activity being completed."

    • CCADB Policy Section 6.2: For any unexpired and unrevoked CA certificate disclosed to the CCADB, CA Owners MUST disclose, in a JSON array, the complete set of distinct HTTP URLs appearing in the crlDistributionPoints extension of the unexpired certificates issued by that CA".

  • Source of incident disclosure: Internal review

During CCADB review we noted that although we had updated the JSON Array of all Full CRL URLs in CCADB for all Self-Signed Root CAs, we had not performed the relevant updates for the 6 Cross-Certified Root CA records. Since any certificate issued by a Root can can also be seen as being issued by the Cross-Certified Root CA, the URLs should be included in both CAs records. In 6 cases these were not indicating the same JSON Array of All Full CRL URLs as their original Self-Signed Root CAs.

The following Cross-Certified Root CA CCADB records included a subset (but not the complete set) of the CRL URLs of the Self-Signed versions of the same Root CAs.

  • GlobalSign Root R1 -> GlobalSign Root R3 (2009)
  • GlobalSign Root R1 -> GlobalSign Root R3 (2018)
  • GlobalSign Root R1 -> GlobalSign Root R5
  • GlobalSign Root R1 -> GTS Root R1
  • GlobalSign Root R1 -> GTS Root R4
  • GlobalSign Root R3 -> GlobalSign Root R5

Impact

  • Total number of certificates: N/A

  • Total number of "remaining valid" certificates: N/A

  • Affected certificate types: Cross-Certified Root CA CCADB records

  • Incident heuristic: Misaligned “JSON Array of all Full CRL URLs” values of Self-Signed Root CAs vs Cross-Certified versions of same Root CAs.

  • Was issuance stopped in response to this incident, and why or why not?: The CRL URLs were disclosed at the Root CA Certificate level and CRLs were available. Issuance was therefore not stopped.

  • Analysis: N/A

  • Additional considerations: N/A

Timeline

Date/Time (UTC) Description
2026-03-20 "JSON Array of all Full CRL URLs" field added to CCADB, taking values from "Full CRL Issued By This CA".
2026-03-20 Version 2.1 of CCADB Policy published requiring completion of JSON Array of all Full CRL URLs.
2026-04-20 13:03 Internal review identifies potential discrepancy between Self-Signed Root CA records and Cross-Certified versions of Root CA records for 2 Cross-Certified Root CAs - further review initiated.
2026-04-21 13:51 4 additional affected Cross-Certified Root CA records identified.
2026-04-21 14:51 Review completed. Internal request raised to update CCADB records.
2026-04-22 09:12 Update of 6 Cross-Certified Root CA certificate records in line with their Self-Signed version Root CAs processed in CCADB.

Related Incidents

Bug Date Description
Bug 2007105 2025-12-19 Similar in that the CCADB record(s) apparently do not contain the correct CRL URLs.
Bug 2007238 2025-12-20 Similar in that the CCADB record(s) apparently do not contain the correct CRL URLs.
Bug 2007116 2025-12-19 Similar in that the CCADB record(s) apparently do not contain the correct CRL URLs.
Bug 2007219 2025-12-19 Similar in that the CCADB record(s) apparently do not contain the correct CRL URLs.
Bug 2007066 2025-12-18 Similar in that the CCADB record(s) apparently do not contain the correct CRL URLs.
Bug 2007297 2025-12-21 Similar in that the CCADB record(s) apparently do not contain the correct CRL URLs.
Bug 2007216 2025-12-19 Similar in that the CCADB record(s) apparently do not contain the correct CRL URLs.
Bug 2007072 2025-12-19 Similar in that the CCADB record(s) apparently do not contain the correct CRL URLs.
Bug 2002402 2025-11-25 Similar in that the CCADB record(s) apparently do not contain the correct CRL URLs.
Bug 2007098 2025-12-19 Similar in that the CCADB record(s) apparently do not contain the correct CRL URLs.
Bug 2007089 2025-12-19 Similar in that the CCADB record(s) apparently do not contain the correct CRL URLs.
Bug 2031164 2026-04-12 Similar in that the CCADB record(s) apparently do not contain the correct CRL URLs.

Root Cause Analysis

Contributing Factor #1: Lack of coverage of Cross-Certified CAs in change management procedures

  • Description: The CCADB publication and change management procedures did not cover actions required for updating Cross-Certified CA records based on changes to related Root CA records.

  • Timeline: This contributing factor has always existed.

  • Detection: Identified during incident analysis.

  • Interaction with other factors: The missing actions for Cross-Certified CAs during changes were not detected by CRL monitoring (factor #2).

  • Root Cause Analysis methodology used: 5-Whys

Contributing Factor #2: Missing Cross-Certified CRL URL logic in CRL monitoring

  • Description: Automated monitoring is in place for CRL URLs, but did not include logic to check the alignment of CRL URLs for Cross-Certified CAs.

  • Timeline: This contributing factor has always existed.

  • Detection: Identified during incident analysis.

  • Interaction with other factors: N/A

  • Root Cause Analysis methodology used: 5-Whys

Lessons Learned

  • What went well: After issue identification, CCADB records were updated efficiently.

  • What didn’t go well: When updating Root records we failed to realize that Cross-Certified Roots had to be updated at same time.

  • Where we got lucky: The CRL URLs were disclosed at the Root CA Certificate level and CRLs were available, so certificate status services were operational.

  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Update CCADB CRL URLs for 6 Cross-Certified Root CAs. Mitigate #1 All CRL URLs from Root CAs are included in the Cross-Certified CA CCADB records. 2026-04-22 Complete
Update CCADB Change Management Procedures with specific actions and considerations for Cross-Certified CAs. Prevent #1 Procedures include requirement to check for changes affecting Cross-Certified CAs. 2026-04-24 Complete
Extend CCADB monitoring functionality with Cross-Certified CA CRL URL checks. Detect #2 All Cross-Certified CAs are checked for alignment against of CRL URLs with the Root CAs. 2026-05-16 Ongoing

Appendix

We will monitor for any comments or questions and kindly request the nextupdate to be set to 2026-05-16 in line with the due date of the action items.

Whiteboard: [ca-compliance] [disclosure-failure] → [ca-compliance] [disclosure-failure] Next update 2026-05-16

We completed the deployment of CCADB monitoring with checks for Cross-Certified CA CRL URLs on May 15, 2026.

This concludes the identified remedial activities. We will post a closure report by May 25, 2026.

Whiteboard: [ca-compliance] [disclosure-failure] Next update 2026-05-16 → [ca-compliance] [disclosure-failure]

Report Closure Summary

  • Incident description: The CCADB "JSON Array of all Full CRL URLs" values for 6 Cross-Certified Root CAs were incomplete compared to the Self-signed versions of the same Root CAs.
  • Incident Root Cause(s): The CCADB publication and change management procedures did not cover actions required for updating Cross-Certified CA records based on changes to related Root CA records. Although automated monitoring was in place for CRL URLs, it did not include logic to check the alignment of CRL URLs for Cross-Certified CAs.
  • Remediation description: GlobalSign has updated CCADB CRL URLs for 6 Cross-Certified Root CAs and updated its CCADB Change Management Procedures with specific actions and considerations for Cross-Certified CAs in order to prevent any re-occurrence. GlobalSign has also extended its CCADB monitoring with Cross-Certified CA CRL URL checks in order to detect any further misalignment.
  • Commitment summary: GlobalSign continues to investigate opportunities to improve internal processes and monitoring tools for alignment with CCADB.

All Action Items disclosed in this report have been completed as described, and we request its closure.

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2026-06-01.

Whiteboard: [ca-compliance] [disclosure-failure] → [close on 2026-06-01] [ca-compliance] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.