Dear Andrew, Dear all,
Thank you for providing this work regarding OCSP responses and for sharing the detailed list of concerned certificates. We have analyzed SwissSign’s certificates on the list and herewith give a wrap-up of our insights. SwissSign’s 10 certificates on the list provided under https://sslmate.com/labs/ocsp_watch/ all share the same specifics: They are precertificates where no final certificates with the according serial number have been issued, the OCSP response for these certificates is «unknown» and they were issued before July 2021. In September 2021 SwissSign changed the handling of precertificates to not only be compliant with BRG 4.9.10 (which states that a *definitive* OCSP response is *optional* for precertificates) but also to follow the recommended practice detailed in “CA/Required or Recommended Practices” ( https://wiki.mozilla.org/CA/Required_or_Recommended_Practices). Because of this constellation (MAY clause in BRG and Mozilla *recommended* practice) we assumed that it was acceptable to simply let the remaining precertificates in the status “unknown” where no final certificate was issued. Best regards Adrian Adrian Mueller *SwissSign AG* Andrew Ayer schrieb am Dienstag, 22. März 2022 um 16:14:58 UTC+1: > Recently, we've seen several CA incidents related to the failure to > provide OCSP responses, such as not operating OCSP services for abandoned > certificate orders <https://bugzilla.mozilla.org/show_bug.cgi?id=1758027>, > or publishing OCSP responses with lengthy delays > <https://bugzilla.mozilla.org/show_bug.cgi?id=1758372>. > > To smoke out these issues, I've created OCSP Watch, which continuously > audits a sample of unexpired certificates found in Certificate > Transparency logs to make sure CAs are correctly operating OCSP > services. OCSP Watch has identified over 1,000 certificates issued by > 20 distinct CAs for which the CA is not providing a valid OCSP response. > > The list of certificates can be found here: > > https://sslmate.com/labs/ocsp_watch/ > > OCSP responses are considered valid if the responder returns a response > within 10 seconds that can be successfully parsed by Go's > golang.org/x/crypto/ocsp package, and has a status of Good or Revoked. > > CAs should examine the above list and file an Incident Report if necessary. > > Regards, > Andrew > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2ceb83a7-0d98-4820-9776-34d0524a7e4dn%40mozilla.org.
