We have been monitoring the discussions on the m.d.s.p. mailing list
and, after the announcements of GlobalSign and Let's Encrypt, found that
our OCSP responder is affected by the same issue.
In particular, whenever a precertificate is generated, but CT submission
fails, EJBCA will fail to create the corresponding certificate, and thus
reply with the status "Unknown" on OCSP queries.
We have found out that this affected 52 certificates. None of these
certificates have been generated or delivered to clients.
Examples:
https://crt.sh/?id=1720920023&opt=ocsp
https://crt.sh/?id=1677051376&opt=ocsp
We have opened a bug with PrimeKey to address the EJBCA issue. Until
this is corrected by PrimeKey we have mitigated this issue using an
in-house patch.
We have also opened a bug in Bugzilla to track the progress of this
issue at:
https://bugzilla.mozilla.org/show_bug.cgi?id=15795
--
Chris Kemmerer
Manager of Operations
SSL.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~ To find the reefs, look~~~~~~~~
~~~~ for the wrecks. ~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy