Dear RA administrators,
This is a heads-up notification.
You don’t need to take any actions at this point.
However, we’d like to bring the following issue to your attention:
> From: DigiCert+QuoVadis
> Subject: Re: Revocation of QuoVadis EV SSL ICA G1 ?
> Date: 15 July 2020 at 14:11:25 CEST
> To: SWITCHpki
> Dear Customer,
> Recently DigiCert+QuoVadis, and multiple other Certificate Authorities (CA) worldwide were made aware of a technical issue affecting OCSP responses, where it would be theoretically possible in some circumstances for an issuing CA to create OCSP responses for Certificates not created or managed by it. OCSP is a technology used to validate that a Certificate is valid and has not been revoked.
> The issue has been discussed at length at https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/XQd3rNF4y… <https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/XQd3rNF4y…>. We also provide an analysis at https://www.digicert.com/blog/working-with-delegated-ocsp-responders-and-ek… <https://www.digicert.com/blog/working-with-delegated-ocsp-responders-and-ek…>
> Since being made aware of the issue, DigiCert+QuoVadis have been investigating the options available and implementing mitigations. It has been decided longer term to transition to new infrastructure, and that certain Subscriber Certificates will be replaced.
> IMPACT: For Customers using one of the affected Certificates, a replacement Subscriber Certificate will be required. This replacement is free of charge. Certificates issued from the following QuoVadis CAs will require replacement:
> • QuoVadis Europe Advanced CA G1
> • QuoVadis Europe SSL CA G1
> • QuoVadis EV SSL ICA G1 and G3
> • QuoVadis Qualified Web ICA G1
> • QuoVadis Swiss Advanced CA G3
> • QuoVadis Swiss Regulated CA G1 and G2
> TIMELINES: For the time being your existing Certificates can still be used, with replacement staged over a period of months. If you are affected, DigiCert+QuoVadis will be in touch to arrange the replacement of your Certificates in due course. Once DigiCert+QuoVadis have determined a date for the replacement of your Certificate then you will be notified and informed of the procedure.
> We understand that our Customers are concerned about possible disruptions and we will work with you to reduce the impact where possible.
Please find also a statement from DigiCert+QuoVadis attached.
For now, as I said above, there’s nothing that has to be done. We will keep you posted.
Thank you for your understanding and
Andres Aeschlimann, Teamleader Trust & Identity
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 15 75
Working for a better digital world