Recently, we've seen several CA incidents related to the failure to provide OCSP responses, such as not operating OCSP services for abandoned certificate orders <https://bugzilla.mozilla.org/show_bug.cgi?id=1758027>, or publishing OCSP responses with lengthy delays <https://bugzilla.mozilla.org/show_bug.cgi?id=1758372>.
To smoke out these issues, I've created OCSP Watch, which continuously audits a sample of unexpired certificates found in Certificate Transparency logs to make sure CAs are correctly operating OCSP services. OCSP Watch has identified over 1,000 certificates issued by 20 distinct CAs for which the CA is not providing a valid OCSP response. The list of certificates can be found here: https://sslmate.com/labs/ocsp_watch/ OCSP responses are considered valid if the responder returns a response within 10 seconds that can be successfully parsed by Go's golang.org/x/crypto/ocsp package, and has a status of Good or Revoked. CAs should examine the above list and file an Incident Report if necessary. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220322111454.dd41936a93e1b576818510d9%40andrewayer.name.
