Thanks Rob! I went through the list and filed a bug for each CA if there
wasn't one already open (with one exception that I'm still researching).
All open OCSP issues are included in the list at
https://wiki.mozilla.org/CA/Incident_Dashboard
Wayne
On Mon, Dec 11, 2017 at 10:49 PM, Rob Stradling
No. It has been prohibited for years in the Baseline Requirements. With an
expectation that CAs monitor such requests in light of DigiNotar
On Mon, Dec 11, 2017 at 8:54 PM Peter Gutmann via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Rob Stradling via
Rob Stradling via dev-security-policy
writes:
>CAs / Responder URLs that are in scope for, but violate, the BR prohibition
>on returning a signed a "Good" response for a random serial number
Isn't that perfectly valid? Despite the misleading name,
Inspired by Paul Kehrer's research a few months ago, I've added a
continuous OCSP Monitoring feature to crt.sh:
https://crt.sh/ocsp-responders
This page shows the latest results of 3 OCSP checks (performed hourly)
against each CA / Responder URL that crt.sh has ever encountered:
1. a GET
Hi Ben,
DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação
Electrónica do Estado, C=PT
Downloading the issuer (https://crt.sh/?id=8949008) and then running:
openssl ocsp -issuer 8949008.crt -serial 101010101010101101010101010
-no_nonce -url
Could someone re-check Multicert and SCEE? (See below.) They have indicated to
us that they have now patched their OCSP responder systems.
DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação
Electrónica do Estado, C=PT
Example cert: https://crt.sh/?id=12729446
OCSP
> AS Sertifitseerimiskeskuse (SK)
>
> CCADB does not list an email address. Not CC'd.
>
> DN: C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA,
> emailAddress=p...@sk.ee
> Example cert:
> https://crt.sh/?q=74d992d3910bcf7e34b8b5cd28f91eaeb4f41f3da6394d78b8c43672d43f4f0f
>
@lists.mozilla.org] On
Behalf Of Paul Kehrer via dev-security-policy
Sent: Friday, September 8, 2017 6:19 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Violations of Baseline Requirements 4.9.10
On September 9, 2017 at 2:16:38 AM, Kathleen Wilson via dev-security-policy
(dev-security-policy
On September 9, 2017 at 2:16:38 AM, Kathleen Wilson via dev-security-policy
(dev-security-policy@lists.mozilla.org) wrote:
Bugs filed…
~
Thanks,
Kathleen
Thank you very much Kathleen! If I receive additional responses I will
update the bugs directly.
-Paul
Bugs filed…
>
> AS Sertifitseerimiskeskuse (SK)
>
Bug #1398233
>
> Autoridad de Certificacion Firmaprofesional
>
Bug #1398240
>
> CA Disig a.s. (Fixed as of 2017-08-31)
>
Bug #1398242
>
> certSIGN (partially resolved)
>
Bug #1398243
>
> Consorci Administració Oberta de Catalunya
> On Sep 8, 2017, at 12:27, Kathleen Wilson via dev-security-policy
> wrote:
>
>> I have updated the list again to note the additional responders fixed (in
>> this update: CA Disig, PKIoverheid, Izenpe). To make this email slightly
>> less enormous I've
I'm going to file the Bugzilla Bugs for each of these CAs, as follows.
==
Bug Summary: : Non-BR-Compliant OCSP Responders
Bug Description:
Problems have been found with OCSP responders for this CA, and reported in the
mozilla.dev.security.policy forum here:
I have updated the list again to note the additional responders fixed (in
this update: CA Disig, PKIoverheid, Izenpe). To make this email slightly
less enormous I've also started removing everything but the CA's name when
I have confirmed that all the reported responders are now properly
Hi Paul,
Problem with OCSP response for RootCA (CA Disig Root R1 and CA Disig Root R2)
was fixed on Thursday August 31, 2017.
Regards
Peter Miskovic
From: Paul Kehrer [mailto:paul.l.keh...@gmail.com]
Sent: Tuesday, August 29, 2017 2:48 PM
To:
> Government of The Netherlands, PKIoverheid (Logius)
>
> DN: C=NL, O=KPN Corporate Market BV, CN=KPN Corporate Market CSP
> Organisatie CA - G2
> Example cert:
> https://crt.sh/?q=f821a600af00d2fa23f569e00fdf2379bc182920205a6b9b0276733cb2857c15
> OCSP URI: http://ocsp2.managedpki.com
Dear
> Government of The Netherlands, PKIoverheid (Logius)
> DN: C=NL, O=KPN Corporate Market BV, CN=KPN Corporate Market CSP
> Organisatie CA - G2
> Example cert:
> https://crt.sh/?q=f821a600af00d2fa23f569e00fdf2379bc182920205a6b9b0276733cb2857c15
> OCSP URI: http://ocsp2.managedpki.com
Dear
-security-policy-bounces+h-kamo=secom.co...@lists.mozilla.org] On
> Behalf Of Paul Kehrer
> via dev-security-policy
> Sent: Thursday, August 31, 2017 10:02 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Violations of Baseline Requirements 4.9.10
>
>
Kurt, I think both the past experiences of m.d.s.policy with incidents that
went undetected by auditors, and my own personal experience (not as part of the
Web PKI) with professional audit firms is that they're not strong on the sort
of technical requirements that we've seen here.
If the rule
El miércoles, 30 de agosto de 2017, 10:58:34 (UTC+2), Paul Kehrer escribió:
> Hi David,
>
> If you use the cert at https://crt.sh/?id=1616324 as issuer (the root
> itself) and run this command:
>
> openssl ocsp -issuer 1616324.crt -serial 10101010101010111101001101
> -url
On 2017-08-29 14:47, Paul Kehrer wrote:
I've recently completed a scan of OCSP responders with a focus on checking
whether they are compliant with BR section 4.9.10's requirement: "Effective
1 August 2013, OCSP responders for CAs which are not Technically
Constrained in line with Section 7.1.5
On 31/08/2017 07:24, Peter Miškovič wrote:
Hi Paul,
we found the problem with OCSP response for SubCA R1I1 and SubCA R2I2 and fixed
it yesterday afternoon.
Problem with OCSP response for RootCA will be fixed to the end of next week.
They are offline and there is no real possibility to issue a
I have updated the list below to try to capture all the information
provided in this thread about which responders have been fixed (and
verified using another random serial number), which ones have a date, and
removed the ones that are actually under technical constraint that I missed.
I have
Hi Paul,
we found the problem with OCSP response for SubCA R1I1 and SubCA R2I2 and fixed
it yesterday afternoon.
Problem with OCSP response for RootCA will be fixed to the end of next week.
They are offline and there is no real possibility to issue a SSL certificate
directly by them even if
On August 30, 2017 at 4:53:54 AM, Ben Wilson via dev-security-policy (
dev-security-policy@lists.mozilla.org) wrote:
This CA is technically constrained:
DN: C=CH, L=Zurich, O=ABB, CN=ABB Issuing CA 6
Hi Ben,
ABB Intermediate CA 3 (https://crt.sh/?id=7739892), which issued ABB
Issuing CA
On Tuesday, August 29, 2017 at 9:41:07 AM UTC-4, Paul Kehrer wrote:
> I've recently completed a scan of OCSP responders with a focus on checking
> whether they are compliant with BR section 4.9.10's requirement: "Effective
> 1 August 2013, OCSP responders for CAs which are not Technically
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Hi Paul,
thank you for the clarification, I thought you were talking about subordinates.
Regards,
El miércoles, 30 de agosto de 2017, 10:58:34 (UTC+2), Paul Kehrer escribió:
> Hi David,
>
> If you use the cert at https://crt.sh/?id=1616324 as issuer (the root
> itself) and run this command:
>
Hi David,
If you use the cert at https://crt.sh/?id=1616324 as issuer (the root
itself) and run this command:
openssl ocsp -issuer 1616324.crt -serial 10101010101010111101001101
-url http://ocsp.izenpe.com -noverify
You will get back
This Update: Jun 22 11:06:43 2017 GMT
Next Update: Jun
Hi Paul,
can you provide what you posted, for example attaching the ocsp response. I
mean if I query for a non-existant certificate, I get the following answer:
openssl ocsp -no_cert_verify -no_signature_verify -issuer SSLEV_IZENPE.cer
-serial 0x295990755083049101712519384020072382191 -url
Hi Paul,
thank you for the information. We had yesterday a holiday here in Slovakia. We
are starting the investigation of this problem now.
Regards.
Peter Miskovic
From: Paul Kehrer [mailto:paul.l.keh...@gmail.com]
Sent: Tuesday, August 29, 2017 2:48 PM
To:
Hi Ben,
I'm not sure it should matter that a CA _does_ only issue client certs --
in the DigiNotar-style situation for which this rule was envisioned, the
relevant thing is whether the cert is _capable_ of issuing server certs.
Alex
On Tue, Aug 29, 2017 at 12:43 PM, Ben Wilson via
On 2017-08-30 08:46, Adriano Santoni wrote:
>> - 2 are technically constrained sub-CAs (
https://crt.sh/?id=147626411 / https://crt.sh/?id=47081615 )
Those two are actually the same certificate; it's not clear to me why
they appear twice on crt.sh
I didn't look if all the name constrains
>> - 2 are technically constrained sub-CAs (
https://crt.sh/?id=147626411 / https://crt.sh/?id=47081615 )
Those two are actually the same certificate; it's not clear to me why
they appear twice on crt.sh
Il 29/08/2017 18:50, Ryan Sleevi via dev-security-policy ha scritto:
On Tue, Aug 29,
This CA is technically constrained:
DN: C=CH, L=Zurich, O=ABB, CN=ABB Issuing CA 6
From: Paul Kehrer [mailto:paul.l.keh...@gmail.com]
Sent: Tuesday, August 29, 2017 6:48 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Violations of Baseline Requirements 4.9.10
I've
> Government of The Netherlands, PKIoverheid (Logius)
>
> DN: C=NL, O=KPN Corporate Market BV, CN=KPN Corporate Market CSP
> Organisatie CA - G2
> Example cert:
> https://crt.sh/?q=f821a600af00d2fa23f569e00fdf2379bc182920205a6b9b0276733cb2857c15
> OCSP URI: http://ocsp2.managedpki.com
Hi Paul,
On Tuesday, August 29, 2017 at 12:51:05 PM UTC-4, Ryan Sleevi wrote:
> On Tue, Aug 29, 2017 at 8:47 AM, Paul Kehrer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> >
> > Symantec / GeoTrust
> >
> > CCADB does not list an email address. Not CC'd.
> >
> > DN: C=IT,
On Tue, Aug 29, 2017 at 8:47 AM, Paul Kehrer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> Symantec / GeoTrust
>
> CCADB does not list an email address. Not CC'd.
>
> DN: C=IT, O=UniCredit S.p.A., CN=UniCredit Subordinate External
> Example cert:
>
This CA only issues client certificates:
DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação
Electrónica do Estado, C=PT
Ben Wilson, JD, CISA, CISSP
VP Compliance
+1 801 701 9678
From: Paul Kehrer [mailto:paul.l.keh...@gmail.com]
Sent: Tuesday, August
Hello:
Many thanks. The CA listed for Government of The Netherlands, PKIoverheid
(Logius) is operated by KPN Corporate Market not QuoVadis. We will pass on the
information to PKIoverheid.
Government of The Netherlands, PKIoverheid (Logius)
Email sent to supp...@quovadisglobal.com
DN: C=NL,
39 matches
Mail list logo