Re: Apple: Precertificates without corresponding certificates return OCSP value of "unknown"

2019-09-19 Thread Wayne Thayer via dev-security-policy 
Thank you for the notification. I have created
https://bugzilla.mozilla.org/show_bug.cgi?id=1582519 to track this issue.

- Wayne

On Fri, Sep 13, 2019 at 4:24 PM Apple CA via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> We’ve been following the discussions regarding how OCSP responders should
> handle Precertificates without corresponding certificates and what the
> appropriate response indicator should be (good, revoked, or unknown).
>
> Based on the recent clarifications at [1], we want to inform the community
> that Apple’s OCSP responders return a status of “unknown” for
> Precertificates without a corresponding certificate. We have identified one
> Precertificate that did not result in a corresponding certificate for which
> our OCSP responders are returning a status of “unknown” (
> https://crt.sh/?id=1368484681).
>
> We’ve updated the OCSP responders to respond “good” for that
> Precertificate and a long-term fix is in progress.
>
> We appreciate the efforts being made to amend the Mozilla Root Store
> Policy to explicitly address matters relating to Certificate Transparency.
>
> [1]
> https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/24Fl9kc-AQAJ
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Apple: Precertificates without corresponding certificates return OCSP value of "unknown"

2019-09-13 Thread Apple CA via dev-security-policy 
We’ve been following the discussions regarding how OCSP responders should 
handle Precertificates without corresponding certificates and what the 
appropriate response indicator should be (good, revoked, or unknown). 

Based on the recent clarifications at [1], we want to inform the community that 
Apple’s OCSP responders return a status of “unknown” for Precertificates 
without a corresponding certificate. We have identified one Precertificate that 
did not result in a corresponding certificate for which our OCSP responders are 
returning a status of “unknown” (https://crt.sh/?id=1368484681).

We’ve updated the OCSP responders to respond “good” for that Precertificate and 
a long-term fix is in progress.

We appreciate the efforts being made to amend the Mozilla Root Store Policy to 
explicitly address matters relating to Certificate Transparency.

[1] 
https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/24Fl9kc-AQAJ
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy