Closed Bug 1425998 Opened 2 years ago Closed 2 years ago

Certinomis/Docapost: Non-BR-Compliant OCSP Responders

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wayne, Assigned: franck.leroy, NeedInfo)

Details

(Whiteboard: [ca-compliance])

The OCSP responder for the Easy CA intermediate is returning a good response for an invalid serial number as reported here: https://crt.sh/ocsp-responders?randomserial=Good&trustedBy=Mozilla&trustedFor=Server%20Authentication&trustedExclude=constrained,expired,onecrl&randomserial=Good&sort=2&dir=v

As per section 4.9.10 of the BRs, OCSP responders MUST NOT respond with a “good” status for unissued certificates. The effective date for this requirement was 2013-08-01.

Please provide an incident report in this bug, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Flags: needinfo?(franck.leroy)
Assignee: kwilson → franck.leroy
Whiteboard: [ca-compliance]
Hello

Due to an overload on the OCSP server on December 12th, the requests have been routed to a more powerful server.

Unfortunately there is a misconfiguration on this server (the property "Non existing is good" is checked).

So I revert back to the old server today, and we will update the new server by January (a database synchronization with the CA-DB is needed to remove this property).

The impact is that the OCSP server performance may be degraded in the meantime.

Best regards
Franck Leroy
The crt.sh report indicates that this problem has been fixed.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.