On 03/19/2015 02:45 AM, Ryan Sleevi wrote: > On Thu, March 19, 2015 1:35 am, LuxTrust CA wrote: >> Regarding issue #2 : OCSP responds "good" to a non-issued certificate >> (serials FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 00) (BR Section >> 13.2.6) : >> LuxTrust’s OCSP application currently does not support this feature >> (technical limitation). LuxTrust is currently analyzing the possibility of >> an alternative solution / technical improvements. >> Pending a technical alternative, LuxTrust would like to underline that the >> risks raised by the “good� response to a non-issue certificate are >> mitigated >> by compensatory controls: even if LuxTrust’s OCSP responder provides an >> inadequate “good� response, the certificate will not pass the step of >> validation of the CA information (trust anchor) because the certificate is >> not signed by LuxTrust’s CA (provided that the certificate validation >> check >> is compliant with RFC 5280, section 6.1 Basic path validation). > > This is not an accurate representation of the security risks. > > The Baseline Requirements incorporated this change in part due to the > compromise of Diginotar, in which the issuing CA was unable to account for > or present records of validly signed certificates. This failure, combined > with a failure to monitor its OCSP logs, allowed for the scope of the > compromise to be significantly underestimated. > > So the description of why this is not an issue is not correct, nor would > it be compliant with the Baseline Requirements. > > This has been a requirement of the CA/Browser Forum since 2013-08-01, or 1 > year and 7 months. This seems to have been ample time to evaluate > alternative solutions or technical improvements to comply with this > requirement, which itself predates LuxTrust's request for inclusion. > > This does seem to be an item that needs remedying. According to 7.3.6 of > ETSI TS 102 042 (which you have been audited to), Item h, PTC-BR > certificates must conform to the BRG Section 13.2, which establishes this > as a requirement in Section 13.2.5. > > So this is non-complying with the ETSI TS 102 042 criteria to which you've > been audited, in addition to the Mozilla Root Inclusion Policy > requirements of BRG conformance.
I'm still seeing "good" responses to non-issued certificates. Does LuxTrust have an update on their progress in resolving this issue? Thanks, David
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
