I was assured by the head of the Swiss Government PKI that this is an urgent matter being critically addressed by their software team. FOITT/BIT had to temporarily take their OCSP offline due to a software build error that will be remedied by a fix this Wednesday. They are treating this with the urgency of a service outage and breach of compliance.
I did not query further on rollback options to reestablish service faster, as this software incident occurred as part of a major software release affecting many parts of the platform. As we know, as soon as you issue one certificate post-upgrade, rollback is no longer audit viable in PKI. Kind regards, Steven Medin Product Manager, Identity and Access Management Verizon Enterprise Solutions -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Sunday, February 08, 2015 9:25 AM To: Medin, Steven; Rob Stradling; Richard Barnes Cc: [email protected] Subject: Re: FOITT does no longer support OCSP Thank you! Please inform me if you were successful. Regards, Jonas Am 06.02.2015 um 16:43 schrieb Medin, Steven: > I will contact the Swiss BIT and discuss. > > Kind regards, > Steven Medin > Product Manager, Identity and Access Management Verizon Enterprise > Solutions > > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+steve.medin=verizonbusiness.com@li > sts.mo > zilla.org] On Behalf Of Rob Stradling > Sent: Friday, February 06, 2015 10:32 AM > To: Richard Barnes; [email protected] > Cc: [email protected] > Subject: Re: FOITT does no longer support OCSP > > On 06/02/15 15:00, Richard Barnes wrote: >> Does the FOITT cert chain up to one of the roots in the Mozilla program? >> >> https://wiki.mozilla.org/CA:IncludedCAs >> >> I only see 3 Swisscom roots and 3 SwissSign roots, nothing that is >> obviously Swiss government. > This intermediate CA cert for "Swiss Government SSL CA 01" was issued > by the "Baltimore CyberTrust Root" built-in root. > > -----BEGIN CERTIFICATE----- > MIIGKDCCBRCgAwIBAgIEBye2CTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ > RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD > VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE0MDkxMDE4NTAzNloX > DTE3MDkxMDE4NTAxMVowgYgxCzAJBgNVBAYTAkNIMR0wGwYDVQQKExRTd2lzcyBH > b3Zlcm5tZW50IFBLSTERMA8GA1UECxMIU2VydmljZXMxIjAgBgNVBAsTGUNlcnRp > ZmljYXRpb24gQXV0aG9yaXRpZXMxIzAhBgNVBAMTGlN3aXNzIEdvdmVybm1lbnQg > U1NMIENBIDAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA379210+W > I6Wl63BOe93KXb9T6mw4frXZBPgN6iKcVp4KGTOHLtCfztUrFJWWhNaapDoYcZKJ > F4vNwQsYFIPZDdYhNeaubsOsoKznei3+1PBLpNyAVTbQ2SgEZcDuVYkpoSUzu+cT > sZ/gAKYf3K1JacCdeEYRv55FXLJ991lTvKHLNNr4+IEZuOwMCqjdMKg/JF2Lh+nm > AoT2YoUFBJHYWNMyTUZZ4pZVB8PZPCeM76FJHf+zG+kQ2gQhDaEyMFqjuH7URRkj > nnV6GvenzOO7uIPiigKf9Ccpt05gnuezPKGtOwzJhpjTqOfxuVSH5HhDzDGPcrce > rfwtHRW6Rnq0ix1kHUAmC6tB6fhKwCOOnSZ04YmaKwtMsGMsEIoaZ6+h7VlllKJ/ > OpVGGmTEdPzaEuJnCPUq0BuVOPWHtSyr6UcrTw4p8C+yjbE8Y99b9VkxdGGPU3vs > 8ZSObJjEILcR3NnQhK4/V9bP6v9CVqh933W/Q7LdN6vjWr6VdwqYUn1q7USqIp2W > p+Q7KFg1VHh0JJTAirI9PSmsVmiWv4MXdBKFmd2PaT3w/HBEDTM5Fg8w6T0IPd26 > ApQ+Yg+EAkC+GfH0JNcVR3LdnVgm/IncnNJPrq7gteN1FJ+lxsbeN0947nDpoasf > qjCUZVNcbzjeIfJEuBxZ6tCwJnrQF6Xi55UCAwEAAaOCAcUwggHBMBIGA1UdEwEB > /wQIMAYBAf8CAQAwgakGA1UdIASBoTCBnjBIBgkrBgEEAbE+AQAwOzA5BggrBgEF > BQcCARYtaHR0cDovL2N5YmVydHJ1c3Qub21uaXJvb3QuY29tL3JlcG9zaXRvcnku > Y2ZtMFIGCGCFdAERAxUCMEYwRAYIKwYBBQUHAgEWOGh0dHA6Ly93d3cucGtpLmFk > bWluLmNoL2Nwcy9DUFNfMl8xNl83NTZfMV8xN18zXzIxXzEucGRmMEIGCCsGAQUF > BwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Aub21uaXJvb3QuY29tL2Jh > bHRpbW9yZXJvb3QwDgYDVR0PAQH/BAQDAgEGMCcGA1UdJQQgMB4GCCsGAQUFBwMB > BggrBgEFBQcDAgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU5Z1ZMIJHWMys+ghUNoZ7 > OrUETfAwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NkcDEucHVibGljLXRydXN0 > LmNvbS9DUkwvT21uaXJvb3QyMDI1LmNybDAdBgNVHQ4EFgQU/DVeWB34UuAr6Kyr > uYKtFRHW5s0wDQYJKoZIhvcNAQELBQADggEBAJwbVrtGL68v2T0QhiuIKpFvNCpi > 2VpmyUwHY1IiIKxckiX9NoQdvSqwG9SePR3Fet9LC6d0SAnkXKTwnjP7hxTMdmMt > +TK/UnJWBBQCfMjwFRs0oAEFwyxSr04R2ZWIV/8DlTSQ3hxH2LPlgJjVosQfvdSG > nqYK0KY3c7vMRC7QbtAIrmxY4CTqtBHiPQy/CV6zdcCYxgsKl3iPxPQAHEMIG8DY > CaMW+JsRUTtdPIaXIa559nmHbG2xw/tm7Ku4ieKsd9RNkDIbE5DEi/clf1Xn8bW4 > AiV4lLjW7oN6i5m4QrGeFtWIXZXBFiurMtplyoJ/wmNw70ArcqxbOc174n0= > -----END CERTIFICATE----- > >> On Thu, Feb 5, 2015 at 6:33 PM, <[email protected]> wrote: >> >>> Hi all >>> >>> A few weeks ago, I got some mails about a broken iframe. The secure >>> connection to the remote server failed (OCSP error). The site was >>> signed by Swiss Government SSL CA 01. I contacted the technical >>> support and they told me, that the Federal Office of Information >>> Technology, Systems and Telecommunication (FOITT) of Switzerland >>> shut down their OCSP servers! So all secure Swiss gov sites are >>> broken if you > requires OCSP. >>> I contacted them directly and tried to explain why the OCSP service >>> is a requirement for a CA, but they do not react. >>> >>> Maybe someone of the Mozilla security team could contact them again. >>> >>> Regards, >>> Jonas > -- > Rob Stradling > Senior Research & Development Scientist COMODO - Creating Trust Online > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
