RE: Camerfirma's misissued certificate
Hi Rob, We've some costumers that really appreciates that we include them. But I can also tell you that you are absolutely right and now we're studying to modify this parameter in our OCSP. Thanks a lot Juan Angel -Mensaje original- De: Rob Stradling [mailto:rob.stradl...@comodo.com] Enviado el: jueves, 18 de enero de 2018 12:21 Para: Juan Angel Martin (AC Camerfirma) <martin...@camerfirma.com> CC: 'Wayne Thayer' <wtha...@mozilla.com>; 'mozilla-dev-security-policy' <mozilla-dev-security-pol...@lists.mozilla.org> Asunto: Re: Camerfirma's misissued certificate Hi Juan. Is there a particular technical reason why you feel the need to include "all the certs chaining up to the roots" in your OCSP responses? When an OCSP response is signed directly by the CA that issued the corresponding certificate, the OCSP response does not need to contain any certificates at all. When a CA uses an Authorized Responder, the OCSP response needs to contain 1 certificate (i.e., the leaf cert, issued directly by the CA, that contains the id-kp-ocspSigning EKU OID). I don't see any circumstance in which including >1 certificate in an OCSP response provides any benefit. All it does is bloat the OCSP response unnecessarily. The TLS client's certificate path validation algorithm validates the issuing CA. Therefore, the OCSP response validation algorithm only needs to validate the OCSP response up to that issuing CA, not all the way up to the root. On 18/01/18 07:34, Juan Angel Martin (AC Camerfirma) via dev-security-policy wrote: > Hello Wayne, > > > > I’ve investigated the OCSP’s issue time ago, I can tell you that it’s related > with https://github.com/golang/go/issues/21527 cause we send all the certs > chaining up to the roots. > > > > BR > > Juan Angel > > > > De: Wayne Thayer [mailto:wtha...@mozilla.com] Enviado el: miércoles, > 17 de enero de 2018 19:14 > Para: martin...@camerfirma.com > CC: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org> > Asunto: Re: Camerfirma's misissued certificate > > > > Thank you for reporting this misissuance. Since this is a different issue > than described in bug 1390977, I have created a new bug to track this problem > and your response: https://bugzilla.mozilla.org/show_bug.cgi?id=1431164 > Please also post your incident report here. > > > > Also, the crt.sh link above is reporting the following OCSP error for this > certificate: "OCSP response contains bad number of certificates" Please > investigate. > > > > - Wayne > > > > > > On Wed, Jan 17, 2018 at 9:27 AM, Juan Angel Martin via dev-security-policy > <dev-security-policy@lists.mozilla.org > <mailto:dev-security-policy@lists.mozilla.org> > wrote: > > Hello, > > I have to inform you about a SSL certificate misissued. OU contains > non-printable control characters. > > https://crt.sh/?id=305441195 > > It has already been revoked. > > Regards > > Juan Angel Martin Gomez > AC Camerfirma > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > <mailto:dev-security-policy@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Camerfirma's misissued certificate
Hi Juan. Is there a particular technical reason why you feel the need to include "all the certs chaining up to the roots" in your OCSP responses? When an OCSP response is signed directly by the CA that issued the corresponding certificate, the OCSP response does not need to contain any certificates at all. When a CA uses an Authorized Responder, the OCSP response needs to contain 1 certificate (i.e., the leaf cert, issued directly by the CA, that contains the id-kp-ocspSigning EKU OID). I don't see any circumstance in which including >1 certificate in an OCSP response provides any benefit. All it does is bloat the OCSP response unnecessarily. The TLS client's certificate path validation algorithm validates the issuing CA. Therefore, the OCSP response validation algorithm only needs to validate the OCSP response up to that issuing CA, not all the way up to the root. On 18/01/18 07:34, Juan Angel Martin (AC Camerfirma) via dev-security-policy wrote: Hello Wayne, I’ve investigated the OCSP’s issue time ago, I can tell you that it’s related with https://github.com/golang/go/issues/21527 cause we send all the certs chaining up to the roots. BR Juan Angel De: Wayne Thayer [mailto:wtha...@mozilla.com] Enviado el: miércoles, 17 de enero de 2018 19:14 Para: martin...@camerfirma.com CC: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Asunto: Re: Camerfirma's misissued certificate Thank you for reporting this misissuance. Since this is a different issue than described in bug 1390977, I have created a new bug to track this problem and your response: https://bugzilla.mozilla.org/show_bug.cgi?id=1431164 Please also post your incident report here. Also, the crt.sh link above is reporting the following OCSP error for this certificate: "OCSP response contains bad number of certificates" Please investigate. - Wayne On Wed, Jan 17, 2018 at 9:27 AM, Juan Angel Martin via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: Hello, I have to inform you about a SSL certificate misissued. OU contains non-printable control characters. https://crt.sh/?id=305441195 It has already been revoked. Regards Juan Angel Martin Gomez AC Camerfirma ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Camerfirma's misissued certificate
Hello Wayne, I’ve investigated the OCSP’s issue time ago, I can tell you that it’s related with https://github.com/golang/go/issues/21527 cause we send all the certs chaining up to the roots. BR Juan Angel De: Wayne Thayer [mailto:wtha...@mozilla.com] Enviado el: miércoles, 17 de enero de 2018 19:14 Para: martin...@camerfirma.com CC: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Asunto: Re: Camerfirma's misissued certificate Thank you for reporting this misissuance. Since this is a different issue than described in bug 1390977, I have created a new bug to track this problem and your response: https://bugzilla.mozilla.org/show_bug.cgi?id=1431164 Please also post your incident report here. Also, the crt.sh link above is reporting the following OCSP error for this certificate: "OCSP response contains bad number of certificates" Please investigate. - Wayne On Wed, Jan 17, 2018 at 9:27 AM, Juan Angel Martin via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: Hello, I have to inform you about a SSL certificate misissued. OU contains non-printable control characters. https://crt.sh/?id=305441195 It has already been revoked. Regards Juan Angel Martin Gomez AC Camerfirma ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Camerfirma's misissued certificate
Thank you for reporting this misissuance. Since this is a different issue than described in bug 1390977, I have created a new bug to track this problem and your response: https://bugzilla.mozilla.org/show_bug.cgi?id=1431164 Please also post your incident report here. Also, the crt.sh link above is reporting the following OCSP error for this certificate: "OCSP response contains bad number of certificates" Please investigate. - Wayne On Wed, Jan 17, 2018 at 9:27 AM, Juan Angel Martin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hello, > > I have to inform you about a SSL certificate misissued. OU contains > non-printable control characters. > > https://crt.sh/?id=305441195 > > It has already been revoked. > > Regards > > Juan Angel Martin Gomez > AC Camerfirma > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy