Here is my understanding, according to the wording in GlobalSign's incident
-Revocation of the certificate was intended. GlobalSign writes: "In a
revocation exercise which should have been 'business as usual.'" The
certificate they intended to revoke is referred to as a "Cross Certificate."
-They first published the revocation to their CRL. No adverse effects.
-They then published the revocation to their OCSP database. This is where the
issue occurred. It seems that, due to the subject information of the revoked
certificate, it was inferred that a separate intermediate certificate, which
had NOT been revoked (at least, in GlobalSign's opinion) HAD been revoked.
It appears that this error is a bug in the third-party OCSP software that
GlobalSign uses. They wrote: "the logic within the responder code base
determined that the revocation of the Cross Certificate, identified by its
Public Key and Subject Name in a lookup table, was
effectively an instruction to also identify all other subordinate certificate
authorities including DomainSSL and AlphaSSL as ‘bad’."
-This incident caused the widespread revocation errors that The Register
-GlobalSign remediated the issue in multiple ways: They "unrevoked" the Cross
Certificate, so that the CDNs they were using for OCSP availability would
"refresh" and stop reporting the revocation. They also issued a new set of
intermediate certificates that server admins could configure their server to
Either option would hopefully allow affected sites to solve the problem.
Some users were never affected because the CDNs that provided the OCSP
information did not cache at those CDNs. Some sites were never affected
because GlobalSign has separate roots for some certs (EV, etc).
So, on to the question of if this is a violation of the Baseline Requirements.
It seems like it may indeed be a violation.
Looking at the BRs (
Section 4.10.1 says:
"Revocation entries on a CRL or OCSP Response MUST NOT be removed until after
the Expiry Date of the revoked Certificate."
In GlobalSign's Incident Report, within the section "Incident Timeline", they
"13-Oct-16 12:20 Removal of cross signing certificate from the OCSP Database"
So it seems that be un-publishing the revocation information for the Cross
Certificate would indeed be a BR violation. But this is not an area of
compliance I am familiar with.
Hopefully someone else can chime in and say for sure if this is a violation.
dev-security-policy mailing list