ISRG CPS Section 4.2.1: "The CA checks for relevant CAA records prior to issuing certificates. The CA acts in accordance with CAA records if present."
At 9:45am U.S. Pacific time on December 7th, 2015, it was reported to us that our Certificate Authority Authorization (CAA) record checks were not working properly [1]. We determined that the report was accurate. At 1:11pm U.S. Pacific time on the same day a fix was deployed to production. The fix has been verified to be correct. The cause of the problem was determined to be a bug in our "boulder" CA software. An analysis of logs and our certificate database determined that six certificates were improperly issued to domains restricted by CAA. These certificates have been revoked. https://crt.sh/?id=11015552 https://crt.sh/?id=11129526 https://crt.sh/?id=11129525 https://crt.sh/?id=11145944 https://crt.sh/?id=11146361 https://crt.sh/?id=11147768 We work hard to make sure that we're issuing in compliance with all relevant policies. We will be reviewing our policies and procedures to determine how we might best reduce the risk of such a mistake happening again. [1] https://github.com/letsencrypt/boulder/issues/1231 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
