We believe this issue has been fixed. ________________________________ From: Ben Wilson Sent: Sunday, January 27, 2019 2:22:45 PM To: Corey Bonnell; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incorrect OCSP status for revoked intermediates
Thanks, Corey. As I said, we'll try to get this resolved as soon as possible and file an incident report. -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Corey Bonnell via dev-security-policy Sent: Sunday, January 27, 2019 2:21 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incorrect OCSP status for revoked intermediates On Sunday, January 27, 2019 at 4:09:44 PM UTC-5, Ben Wilson wrote: > I'll look into this immediate, but have you checked to see whether > these certificates have OCSP AIAs in them? Or did you find these by > searching our CRLs. > > -----Original Message----- > From: dev-security-policy > <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Corey > Bonnell via dev-security-policy > Sent: Sunday, January 27, 2019 8:50 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Incorrect OCSP status for revoked intermediates > > Hello, > I discovered that the following Baltimore CyberTrust Root-chained > intermediates are disclosed in CCADB and are revoked via CRL, but the > OCSP responder is returning "good": > > DigiCert > crt.sh URL(s),notBefore,notAfter,subject CN,issuer CN > https://clicktime.symantec.com/3GqSUWeMsiuccdDg8FV74mK7Vc?u=https%3A%2 > F%2Fcr > t.sh%2F%3Fid%3D3528065 ,2014-02-12,2021-02-12,Bechtel External Policy > CA 1,Baltimore CyberTrust Root > https://clicktime.symantec.com/3QitWkthhibn6J3dyv2WjMK7Vc?u=https%3A%2 > F%2Fcr > t.sh%2F%3Fid%3D91478106 ,2014-04-16,2024-04-16,Dell Inc. Enterprise > CA,Baltimore CyberTrust Root > https://clicktime.symantec.com/3GDackCrAv2JK3LE1ejLmCb7Vc?u=https%3A%2 > F%2Fcr > t.sh%2F%3Fid%3D12625621 ,2014-04-16,2024-04-16,Dell Inc. Enterprise > CA,Baltimore CyberTrust Root > https://clicktime.symantec.com/3CPUS2fftSKXmYYJpwrxa997Vc?u=https%3A%2 > F%2Fcr > t.sh%2F%3Fid%3D91478107 ,2014-04-16,2024-04-16,Dell Inc. Enterprise > CA,Baltimore CyberTrust Root > https://clicktime.symantec.com/34vSegkxwLnEhzzA2c8n23e7Vc?u=https%3A%2 > F%2Fcr > t.sh%2F%3Fid%3D12620974 ,2014-09-10,2024-09-10,Dell Inc. Enterprise > CA,Baltimore CyberTrust Root > https://clicktime.symantec.com/32GsGFkYLsck8uJmXJc9Ky17Vc?u=https%3A%2 > F%2Fcr > t.sh%2F%3Fid%3D6906659 ,2015-03-03,2022-03-03,ABB Intermediate CA > 3,Baltimore CyberTrust Root > https://clicktime.symantec.com/3Gbhskg8uybb9uykbTxfo1h7Vc?u=https%3A%2 > F%2Fcr > t.sh%2F%3Fid%3D6976985 ,2015-03-18,2022-03-18,Bechtel External Policy > CA 1,Baltimore CyberTrust Root > https://clicktime.symantec.com/3QaVKssB27cqRnuH6nnqUrX7Vc?u=https%3A%2 > F%2Fcr > t.sh%2F%3Fid%3D35335507 ,2015-05-21,2022-05-21,ABB Intermediate CA > 3,Baltimore CyberTrust Root > https://clicktime.symantec.com/3TjvAB1yvCCo15dr1ecGvbd7Vc?u=https%3A%2 > F%2Fcr > t.sh%2F%3Fid%3D78292184 ,2016-11-30,2020-11-30,Eurida Primary > CA,Baltimore CyberTrust Root > > Given that software may rely on OCSP responses for revocation checking > (as opposed to CRLs or some other mechanism), I wanted to notify the > Mozilla community of this inconsistent revocation information. > > Thanks, > Corey > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://clicktime.symantec.com/3XCAvWmYdPvvFEe9DtH7i3T7Vc?u=https%3A%2 > F%2Fli sts.mozilla.org%2Flistinfo%2Fdev-security-policy Hi Ben, Yes, I confirmed that all listed certificates have OCSP AIA pointers. You can use the crt.sh links and click "Check" in the Revocation table's OCSP column to have crt.sh perform the OCSP check for you. For full disclosure, I found these certificates using Censys.io. Thanks, Corey _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://clicktime.symantec.com/3EBy6mM3kSWChPTFEoHeZpq7Vc?u=https%3A%2F%2Fli sts.mozilla.org%2Flistinfo%2Fdev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
