On 31/08/2017 07:24, Peter Miškovič wrote:
Hi Paul, we found the problem with OCSP response for SubCA R1I1 and SubCA R2I2 and fixed it yesterday afternoon. Problem with OCSP response for RootCA will be fixed to the end of next week. They are offline and there is no real possibility to issue a SSL certificate directly by them even if they are enabled for issuing.
Please be aware that the requirement is there to avoid positive responses for fake certificates that were never issued by the real CA (such as in the DigiNotar incident). But I understand the need to use slower, more careful update procedures for root CA related infrastructure. (I don't speak for Mozilla).
Regards Peter Miskovic From: Paul Kehrer [mailto:[email protected]] Sent: Tuesday, August 29, 2017 2:48 PM To: [email protected]<mailto:[email protected]> Subject: Violations of Baseline Requirements 4.9.10 I've recently completed a scan of OCSP responders with a focus on checking whether they are compliant with BR section 4.9.10's requirement: "Effective 1 August 2013, OCSP responders for CAs which are not Technically Constrained in line with Section 7.1.5 MUST NOT respond with a "GOOD" status for such certificates." This rule was put in place in the wake of the DigiNotar incident as an additional method of ensuring the CA is aware of all issuances in its infrastructure and has been a requirement for over 4 years now. The scan was performed by taking the list of responders (and valid issuer name hash/issuer key hashes) that Andrew Ayer has aggregated and making an OCSP request for the serial number "0xdeadbeefdeadbeefdeadbeefdeadbeef". This serial is extremely unlikely to have been issued legitimately. The following OCSP responders appear to be non-compliant with the BRs (they respond GOOD and are not listed as technically constrained by crt.sh) but are embedded in certificates issued in paths that chain up to trusted roots in the Mozilla store. I have grouped them by owner where possible and put notes about whether they've been contacted: CA Disig a.s. Email sent to [email protected]<mailto:[email protected]> DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig R1I1 Certification Service Example cert: https://crt.sh/?q=da74b18f3651bf90a8b2c07f8df294de19e441dcaa6913627261752199c302a2 OCSP URI: http://subcar1i1-ocsp.disig.sk/ocsp/subcar1i1 DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig R2I2 Certification Service Example cert: https://crt.sh/?q=1a088e912ddb15a3b52ab1396af2a1ce0dcfab170e007e551f63231c76975417 OCSP URI: http://subcar2i2-ocsp.disig.sk/ocsp/subcar2i2 DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1 Example cert: https://crt.sh/?q=e1abb0faeaa7312f2c3e041cbd2df03a507e346b9716442463ed61106aff6947 OCSP URI: http://rootcar1-ocsp.disig.sk/ocsp/rootcar1 DN: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2 Example cert: https://crt.sh/?q=239ffa86d71033ba255914782057d87e8421aedd5910b786928b6a1248c3e341 OCSP URI: http://rootcar2-ocsp.disig.sk/ocsp/rootcar2 -Paul
Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
