Hi Andrew, Thanks for this work. We had a check on the counts coming under our name (eMudhra). The problem indicated for all certs are "OCSP response has invalid content type application/x-x509-ca-cert".
I believe this is an acceptable response and there is no problem. The OCSP response are signed via dedicated responder cert (not the CA), and hence it contains this cert data. Else the OCSP verification fails. Appreciate if you/someone can suggest if I'm missing something here. Regards, Vijay On Tuesday, March 22, 2022 at 8:44:58 PM UTC+5:30 Andrew Ayer wrote: > Recently, we've seen several CA incidents related to the failure to > provide OCSP responses, such as not operating OCSP services for abandoned > certificate orders <https://bugzilla.mozilla.org/show_bug.cgi?id=1758027>, > or publishing OCSP responses with lengthy delays > <https://bugzilla.mozilla.org/show_bug.cgi?id=1758372>. > > To smoke out these issues, I've created OCSP Watch, which continuously > audits a sample of unexpired certificates found in Certificate > Transparency logs to make sure CAs are correctly operating OCSP > services. OCSP Watch has identified over 1,000 certificates issued by > 20 distinct CAs for which the CA is not providing a valid OCSP response. > > The list of certificates can be found here: > > https://sslmate.com/labs/ocsp_watch/ > > OCSP responses are considered valid if the responder returns a response > within 10 seconds that can be successfully parsed by Go's > golang.org/x/crypto/ocsp package, and has a status of Good or Revoked. > > CAs should examine the above list and file an Incident Report if necessary. > > Regards, > Andrew > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d039e4b0-e009-46fd-9402-a9e107a8fb75n%40mozilla.org.
