Let me try that again since I didn't explain my original post very well. Totally worth it since I got a sweet Yu-gi-oh reference out of fit.
What happened at DigiCert is that the OCSP service failed to return a signed response for a certificate where a pre-certificate existed by a certificate had not issued for whatever reason. The question asked was what type of OCSP services are required for a pre-cert if there is no other certificate. The answer we came up with is it should respond "GOOD" based on the Mozilla policy, not Unknown or any other response. Note that this was a bug in the DigiCert system but it lead to a fun internal discussion. What I'm sharing is the outcome of the internal discussion - it's only tangentially related to the bug, not the cause or remediation of it. Summary: Pre-certs require a standard OCSP response as if the pre-cert was a normal cert. In fact, it's a mistake to ever think of pre-certs as anything other than TLS certs, even if the poison extension exists. The question comes up because the BRs don't cover pre-certs. However, as Ryan points out, the browsers sort-of cover this as does the Mozilla policy. The browser say this is a promise to issue the cert and mis-issuance of a pre-cert is the same as mis-issuance of a cert. Although this isn't mis-issuance in the traditional profile sense, the lack of OCSP services for the pre-cert is a violation of the Mozilla policy. I couldn't figure out if it's a violation of the Chrome policy since Chrome says it's a promise to issue a cert. If the cert hasn't issued, then I'm not sure where that puts the OCSP service for Chrome. Regardless, according to Mozilla's policy, the requirement is that regardless of how long the cert takes to issue, the CA must provide OCSP services for the pre-cert. The reason is Mozilla requires an OCSP for each end-entity certificate listing an AIA in the certificate. Pre-certs are end-entity certificates. Jeremy -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Jeremy Rowley via dev-security-policy Sent: Thursday, August 29, 2019 11:55 AM To: Peter Bowen <pzbo...@gmail.com>; Ryan Sleevi <r...@sleevi.com> Cc: Curt Spann <csp...@apple.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert OCSP services returns 1 byte Yes. That was the point of my post. There is a requirement fo return an ocsp repsonse for a pre cert where the cert hasn't issued because of the Mozilla policy. Hence our failure was a Mozilla policy violation even if no practical system can use the response because no actual cert (without a posion extension) exists. ________________________________ From: Peter Bowen <pzbo...@gmail.com> Sent: Thursday, August 29, 2019 11:44:11 AM To: Ryan Sleevi <r...@sleevi.com> Cc: Jeremy Rowley <jeremy.row...@digicert.com>; Curt Spann <csp...@apple.com>; mozilla-dev-security-pol...@lists.mozilla.org <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: DigiCert OCSP services returns 1 byte On Thu, Aug 29, 2019 at 10:38 AM Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: On Thu, Aug 29, 2019 at 1:15 PM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: > Thanks for posting this Curt. We investigated and posted an incident > report on Bugzilla. The root cause was related to pre-certs and an > error in generating certificates for them. We're fixing the issue > (should be done shortly). I figured it'd be good to document here why > pre-certs fall under the requirement so there's no confusion for other CAs. > Oh, Jeremy, you were going so well on the bug, but now you've activated my trap card (since you love the memes :) ) It's been repeatedly documented every time a CA tries to make this argument. Would you suggest we remove that from the BRs? I'm wholly supportive of this, since it's known I was not a fan of adding it to the BRs for precisely this sort of creative interpretation. I believe you're now the ... fourth... CA that's tried to skate on this? Multiple root programs have clarified: The existence of a pre-certificate is seen as a binding committment, for purposes of policy, by that CA, that it will or has issued an equivalent certificate. Is there a requirement that a CA return a valid OCSP response for a pre-cert if they have not yet issued the equivalent certificate? Is there a requirement that a CA return a valid OCSP response for a serial number that has never been assigned? I know of several OCSP responders that return a HTTP error in this case. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
