Hi Juan. Is there a particular technical reason why you feel the need
to include "all the certs chaining up to the roots" in your OCSP responses?
When an OCSP response is signed directly by the CA that issued the
corresponding certificate, the OCSP response does not need to contain
any certificates at all.
When a CA uses an Authorized Responder, the OCSP response needs to
contain 1 certificate (i.e., the leaf cert, issued directly by the CA,
that contains the id-kp-ocspSigning EKU OID).
I don't see any circumstance in which including >1 certificate in an
OCSP response provides any benefit. All it does is bloat the OCSP
response unnecessarily.
The TLS client's certificate path validation algorithm validates the
issuing CA. Therefore, the OCSP response validation algorithm only
needs to validate the OCSP response up to that issuing CA, not all the
way up to the root.
On 18/01/18 07:34, Juan Angel Martin (AC Camerfirma) via
dev-security-policy wrote:
Hello Wayne,
I’ve investigated the OCSP’s issue time ago, I can tell you that it’s related
with https://github.com/golang/go/issues/21527 cause we send all the certs
chaining up to the roots.
BR
Juan Angel
De: Wayne Thayer [mailto:[email protected]]
Enviado el: miércoles, 17 de enero de 2018 19:14
Para: [email protected]
CC: mozilla-dev-security-policy <[email protected]>
Asunto: Re: Camerfirma's misissued certificate
Thank you for reporting this misissuance. Since this is a different issue than
described in bug 1390977, I have created a new bug to track this problem and
your response: https://bugzilla.mozilla.org/show_bug.cgi?id=1431164 Please also
post your incident report here.
Also, the crt.sh link above is reporting the following OCSP error for this certificate:
"OCSP response contains bad number of certificates" Please investigate.
- Wayne
On Wed, Jan 17, 2018 at 9:27 AM, Juan Angel Martin via dev-security-policy
<[email protected]
<mailto:[email protected]> > wrote:
Hello,
I have to inform you about a SSL certificate misissued. OU contains
non-printable control characters.
https://crt.sh/?id=305441195
It has already been revoked.
Regards
Juan Angel Martin Gomez
AC Camerfirma
_______________________________________________
dev-security-policy mailing list
[email protected]
<mailto:[email protected]>
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
