2055551 - HARICA: Issuance of Server TLS Certificates with id-kp-clientAuth KeyPurposeID against CP/CPS
Log In
Log In with GitHub
or
Remember me
Create an Account<br>·<br>Forgot Password
Browse
Advanced Search
New Bug
Reports
Documentation
Please enable JavaScript in your browser to use all the features on this site.
Copy Summary▾
Markdown
Markdown (bug number)
Plain Text
HTML
View ▾
Reset Sections
Expand All Sections
Collapse All Sections
History
JSON
XML
Open
Bug 2055551
Opened 18 hours ago<br>Updated 17 hours ago
HARICA: Issuance of Server TLS Certificates with id-kp-clientAuth KeyPurposeID against CP/CPS
Summary:
HARICA: Issuance of Server TLS Certificates with id-kp-clientAuth KeyPurposeID against CP/CPS
Product:
CA Program
See Open Bugs in This Product
File New Bug in This Product
Watch This Product
Component:
CA Certificate Compliance
See Open Bugs in This Component
Recently Fixed Bugs in This Component
File New Bug in This Component
Watch This Component
Version:
unspecified
Platform:
Unspecified
Unspecified
Type:
task
Priority:
Not set
Severity:
Status:
UNCONFIRMED
Status:
UNCONFIRMED
Mark as Assigned
Milestone:
Project Flags:
Accessibility Severity
Tracking Flags:
Tracking<br>Status
relnote-firefox
firefox-esr115
firefox-esr140
firefox-esr153
firefox152
firefox153
firefox154
Assignee:
Unassigned
Assignee:
Reset Assignee to default
Mentors:
QA Contact:
Reset QA Contact to default
Reporter:
public-incident-reports
Triage Owner:
bwilson
CC:
2 people
Depends on:
Blocks:
Regressions:
Regressed by:
URL:
See Also:
Alias:
Keywords:
Whiteboard:
QA Whiteboard:
Change Request:
Bug Flags:
behind-pref
sec-bounty
sec-bounty-hof
in-qa-testsuite
in-testsuite
qe-verify
Signature:
None
This bug is publicly visible.
Bottom ↓
Tags ▾
Reset
Timeline ▾
Reset
Collapse All
Expand All
Comments Only
HARICA
Reporter
Description
•<br>18 hours ago
Preliminary Incident Report
Summary
Incident description: HARICA routinely updates its CP/CPS to reflect industry policy changes. On 2025-02-15, Chrome's Root Store Policy v1.6 required the removal of the id-kp-clientAuth KeyPurposeID from the extKeyUsage extension, effective 2026-06-15. We updated HARICA CP/CPS v4.9 on 2025-03-14 to incorporate this deadline. While Chrome subsequently extended this deprecation date to 2027-03-15 in version 1.8 of their policy, HARICA failed to update its CP/CPS to reflect the extension. Consequently, we incorrectly continued to allow the id-kp-clientAuth KeyPurposeID in TLS Certificates after our internal 2026-06-15 CP/CPS cutoff.
All TLS Certificates issued after 2026-06-15 00:00:01 (UTC) are affected and will be replaced and revoked within 5 days.
The affected certificate profiles were updated to remove the id-kp-clientAuth EKU temporarily until an updated CP/CPS was released.
A full incident report will be posted no later than 2026-07-30.
We thank the reporter for precisely identifying the problem and providing the relevant normative references, which enabled our team to rapidly confirm the finding.
Relevant policies: Section 7.1.2.3 of the HARICA CP/CPS
Source of incident disclosure: Third-party reported
You need to log in<br>before you can comment on or make changes to this bug.
Top ↑