On 4/6/2026 8:31 PM, Wayne wrote:
On 2026-04-03 SSL.com proactively published a preliminary incident report <https://bugzilla.mozilla.org/show_bug.cgi?id=2029230> on their use of EJBCA > An incorrect Open MPIC Lambda implementation by the EJBCA ACME service allowed DCV to be completed based only on the remote Network Perspectives.A security reporter had notified them early on 2026-04-02, and presumably have alerted other CAs. To date there's only SSL.com mentioning a report though.
Hi Wayne,I just want to clarify that HARICA was not alerted by a security researcher regarding this issue.
The impact is quite large, SSL.com dealt with revoking 1.7m within 24 hours. This should be viewed as a success of the Mass Revocation Plan in practice.
Indeed, that's what we currently use for guidance as well. Please note that some CAs had mass revocation procedures even before the requirement from Mozilla, but the policy change pushed for very meaningful improvements to support worst case scenarios (like mass revocation within 24 hours). Having these steps already prepared is extremely helpful in time-sensitive situations like mass-replacement of certificates which precedes the 24-hour mass-revocation.
Currently only one other CA has reported having the same issue: HARICA <https://bugzilla.mozilla.org/show_bug.cgi?id=2029643>.There are quite a few <https://bugzilla.mozilla.org/buglist.cgi?longdesc_type=allwordssubstr&resolution=---&resolution=FIXED&resolution=INVALID&resolution=WONTFIX&resolution=INACTIVE&resolution=DUPLICATE&resolution=WORKSFORME&resolution=INCOMPLETE&resolution=SUPPORT&resolution=EXPIRED&resolution=MOVED&query_format=advanced&product=CA%20Program&component=CA%20Certificate%20Compliance&longdesc=ejbca&list_id=17917927&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other> CAs using EJBCA, I'd be surprised if it were limited to only these two CAs.
They would have to be using the ACME service from EJBCA. Thanks, Dimitris.
Could any CA using EJBCA prioritize checking if they are impacted by this issue? The longer this waits, the more certificates will be impacted.- Wayne --You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/fd9c43c1-512d-44d7-9601-bdbc61df4bcen%40mozilla.org <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/fd9c43c1-512d-44d7-9601-bdbc61df4bcen%40mozilla.org?utm_medium=email&utm_source=footer>.
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c1db63dc-4b04-4572-a1c1-0f8171076e46%40it.auth.gr.
smime.p7s
Description: S/MIME Cryptographic Signature
