Here is my understanding, according to the wording in GlobalSign's incident 
report (

-Revocation of the certificate was intended. GlobalSign writes: "In a 
revocation exercise which should have been 'business as usual.'" The 
certificate they intended to revoke is referred to as a "Cross Certificate."

-They first published the revocation to their CRL. No adverse effects.

-They then published the revocation to their OCSP database. This is where the 
issue occurred. It seems that, due to the subject information of the revoked 
certificate, it was inferred that a separate intermediate certificate, which 
had NOT been revoked (at least, in GlobalSign's opinion) HAD been revoked.

It appears that this error is a bug in the third-party OCSP software that 
GlobalSign uses. They wrote: "the logic within the responder code base
determined that the revocation of the Cross Certificate, identified by its 
Public Key and Subject Name in a lookup table, was
effectively an instruction to also identify all other subordinate certificate 
authorities including DomainSSL and AlphaSSL as ‘bad’."

-This incident caused the widespread revocation errors that The Register 
reported on.

-GlobalSign remediated the issue in multiple ways: They "unrevoked" the Cross 
Certificate, so that the CDNs they were using for OCSP availability would 
"refresh" and stop reporting the revocation. They also issued a new set of 
intermediate certificates that server admins could configure their server to 

Either option would hopefully allow affected sites to solve the problem.

Some users were never affected because the CDNs that provided the OCSP 
information did not cache  at those CDNs. Some sites were never affected 
because GlobalSign has separate roots for some certs (EV, etc).


So, on to the question of if this is a violation of the Baseline Requirements. 
It seems like it may indeed be a violation.

Looking at the BRs ( ). 
Section 4.10.1 says:

"Revocation entries on a CRL or OCSP Response MUST NOT be removed until after 
the Expiry Date of the revoked Certificate."

In GlobalSign's Incident Report, within the section "Incident Timeline", they 

"13-Oct-16 12:20 Removal of cross signing certificate from the OCSP Database"

So it seems that be un-publishing the revocation information for the Cross 
Certificate would indeed be a BR violation. But this is not an area of 
compliance I am familiar with. 

Hopefully someone else can chime in and say for sure if this is a violation.

dev-security-policy mailing list

Reply via email to