Thanks again, Andrew, for reporting the anomaly.
Adriano ACTALIS S.p.A. Il 23/03/2022 13:53, Adriano Santoni ha scritto:
Thanks for bringing this to our attention. We started investigating and will inform the community of our findings as soon as we have a clear enough picture.For now we can say that the irregular OSCP responses reported by your OCSP Watch concern 3 pre-certificates.Adriano ACTALIS S.p.A. Il 22/03/2022 16:14, Andrew Ayer ha scritto:Recently, we've seen several CA incidents related to the failure to provide OCSP responses, such as not operating OCSP services for abandoned certificate orders<https://bugzilla.mozilla.org/show_bug.cgi?id=1758027>, or publishing OCSP responses with lengthy delays <https://bugzilla.mozilla.org/show_bug.cgi?id=1758372>. To smoke out these issues, I've created OCSP Watch, which continuously audits a sample of unexpired certificates found in Certificate Transparency logs to make sure CAs are correctly operating OCSP services. OCSP Watch has identified over 1,000 certificates issued by 20 distinct CAs for which the CA is not providing a valid OCSP response. The list of certificates can be found here: https://sslmate.com/labs/ocsp_watch/ OCSP responses are considered valid if the responder returns a response within 10 seconds that can be successfully parsed by Go's golang.org/x/crypto/ocsp package, and has a status of Good or Revoked. CAs should examine the above list and file an Incident Report if necessary. Regards, Andrew
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/14143c23-5cf0-ab7e-4b8a-a9fe78d62411%40staff.aruba.it.
smime.p7s
Description: Firma crittografica S/MIME
