On Thursday, August 29, 2019 at 4:37:04 PM UTC-7, Jacob Hoffman-Andrews wrote:
> Also filed at https://bugzilla.mozilla.org/show_bug.cgi?id=1577652
> On 2019.08.28 we read Apple’s bug report at 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 about DigiCert’s OCSP 
> responder returning incorrect results for a precertificate. This prompted us 
> to run our own investigation. We found in an initial review that for 35 of 
> our precertificates, we were serving incorrect OCSP results (“unauthorized” 
> instead of “good”). Like DigiCert, this happened when a precertificate was 
> issued, but the corresponding certificate was not issued due to an error.
> We’re taking these additional steps to ensure a robust fix:
>   - For each precertificate issued according to our audit logs, verify that 
> we are serving a corresponding OCSP response (if the precertificate is 
> currently valid).
>   - Configure alerting for the conditions that create this problem, so we can 
> fix any instances that arise in the short term.
>   - Deploy a code change to Boulder to ensure that we serve OCSP even if an 
> error occurs after precertificate issuance.

Out of curiosity, what software is checking OCSP for a pre-cert and why? Why 
does any software need the OCSP status of a pre-cert when it doesn't have the 
corresponding final cert?
dev-security-policy mailing list

Reply via email to