> Government of The Netherlands, PKIoverheid (Logius) > > DN: C=NL, O=KPN Corporate Market BV, CN=KPN Corporate Market CSP > Organisatie CA - G2 > Example cert: > https://crt.sh/?q=f821a600af00d2fa23f569e00fdf2379bc182920205a6b9b0276733cb2857c15 > OCSP URI: http://ocsp2.managedpki.com
Dear community, My apologies for the delayed response. The last few days we’ve been in close contact with our TSP KPN to identify and remedy this issue. I can confirm that a fix for this issue has been deployed yesterday and that the OCSP responder (OCSP2) in question now responds as expected to these kind of requests. As to Nick’s question about how we and the auditor missed this: KPN switched to another OCSP responder (OCSP3) when BR requirement 4.9.10 became effective. Around that time KPN deployed a software update regarding OCSP2 which was necessary so this responder would also comply with BR requirement 4.9.10. Although the software upgrade took place, the configuration change to the OCSP2 responder was somehow never executed. Nevertheless, all TLS certificates issued after 10/25/2013 should be directing users to OCSP3. That responder was and is compliant with BR 4.9.10 from the effective date. Today we have published a new requirement for our PKIoverheid TSPs regarding audit criteria and scoping. See bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1391864 Result of this new requirement should be that ALL BR requirements are in scope of the audit including a technical requirement like BR 4.9.10. Furthermore, we have formulated a plan to prevent future issues like these, which involves active monitoring of the OCSP responses. Not only because of uptime requirements (that was already monitored), but also input/output validation to confirm OCSP responders are behaving like it should. Said mechanism would probably take the form of a fixed interval query which results would be reported by email to us and (possibly) the sub CA from the PKIoverheid TSP in question. This new measure will be effective no later than 10/1/2017. Please let me know if you have any questions. Best regards, Mark Janssen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
