Corey Bonnell posted the following message to the mozilla.dev.security.policy list: I discovered that the following Baltimore CyberTrust Root-chained intermediates are disclosed in CCADB and are revoked via CRL, but the OCSP responder is returning "good": DigiCert crt.sh URL(s),notBefore,notAfter,subject CN,issuer CN https://clicktime.symantec.com/3GqSUWeMsiuccdDg8FV74mK7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D3528065 ,2014-02-12,2021-02-12,Bechtel External Policy CA 1,Baltimore CyberTrust Root https://clicktime.symantec.com/3QitWkthhibn6J3dyv2WjMK7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D91478106 ,2014-04-16,2024-04-16,Dell Inc. Enterprise CA,Baltimore CyberTrust Root https://clicktime.symantec.com/3GDackCrAv2JK3LE1ejLmCb7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D12625621 ,2014-04-16,2024-04-16,Dell Inc. Enterprise CA,Baltimore CyberTrust Root https://clicktime.symantec.com/3CPUS2fftSKXmYYJpwrxa997Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D91478107 ,2014-04-16,2024-04-16,Dell Inc. Enterprise CA,Baltimore CyberTrust Root https://clicktime.symantec.com/34vSegkxwLnEhzzA2c8n23e7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D12620974 ,2014-09-10,2024-09-10,Dell Inc. Enterprise CA,Baltimore CyberTrust Root https://clicktime.symantec.com/32GsGFkYLsck8uJmXJc9Ky17Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D6906659 ,2015-03-03,2022-03-03,ABB Intermediate CA 3,Baltimore CyberTrust Root https://clicktime.symantec.com/3Gbhskg8uybb9uykbTxfo1h7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D6976985 ,2015-03-18,2022-03-18,Bechtel External Policy CA 1,Baltimore CyberTrust Root https://clicktime.symantec.com/3QaVKssB27cqRnuH6nnqUrX7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D35335507 ,2015-05-21,2022-05-21,ABB Intermediate CA 3,Baltimore CyberTrust Root https://clicktime.symantec.com/3TjvAB1yvCCo15dr1ecGvbd7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D78292184 ,2016-11-30,2020-11-30,Eurida Primary CA,Baltimore CyberTrust Root Given that software may rely on OCSP responses for revocation checking (as opposed to CRLs or some other mechanism), I wanted to notify the Mozilla community of this inconsistent revocation information. Please provide an incident report for this problem, as described here: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Bug 1523676 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Corey Bonnell posted the following message to the mozilla.dev.security.policy list: I discovered that the following Baltimore CyberTrust Root-chained intermediates are disclosed in CCADB and are revoked via CRL, but the OCSP responder is returning "good": DigiCert crt.sh URL(s),notBefore,notAfter,subject CN,issuer CN https://crt.sh/?id=3528065 ,2014-02-12,2021-02-12,Bechtel External Policy CA 1,Baltimore CyberTrust Root https://crt.sh/?id=91478106 ,2014-04-16,2024-04-16,Dell Inc. Enterprise CA,Baltimore CyberTrust Root https://crt.sh/?id=12625621 ,2014-04-16,2024-04-16,Dell Inc. Enterprise CA,Baltimore CyberTrust Root https://crt.sh/?id=91478107 ,2014-04-16,2024-04-16,Dell Inc. Enterprise CA,Baltimore CyberTrust Root https://crt.sh/?id=12620974 ,2014-09-10,2024-09-10,Dell Inc. Enterprise CA,Baltimore CyberTrust Root https://crt.sh/?id=6906659 ,2015-03-03,2022-03-03,ABB Intermediate CA 3,Baltimore CyberTrust Root https://crt.sh/?id=6976985 ,2015-03-18,2022-03-18,Bechtel External Policy CA 1,Baltimore CyberTrust Root https://crt.sh/?id=35335507 ,2015-05-21,2022-05-21,ABB Intermediate CA 3,Baltimore CyberTrust Root https://crt.sh/?id=78292184 ,2016-11-30,2020-11-30,Eurida Primary CA,Baltimore CyberTrust Root Given that software may rely on OCSP responses for revocation checking (as opposed to CRLs or some other mechanism), I wanted to notify the Mozilla community of this inconsistent revocation information. Please provide an incident report for this problem, as described here: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report