Closed
Bug 1425998
Opened 6 years ago
Closed 6 years ago
Certinomis / Docapost: Non-BR-Compliant OCSP Responders
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: wthayer, Assigned: franck.leroy, NeedInfo)
Details
(Whiteboard: [ca-compliance] [ocsp-failure])
The OCSP responder for the Easy CA intermediate is returning a good response for an invalid serial number as reported here: https://crt.sh/ocsp-responders?randomserial=Good&trustedBy=Mozilla&trustedFor=Server%20Authentication&trustedExclude=constrained,expired,onecrl&randomserial=Good&sort=2&dir=v As per section 4.9.10 of the BRs, OCSP responders MUST NOT respond with a “good” status for unissued certificates. The effective date for this requirement was 2013-08-01. Please provide an incident report in this bug, as described here: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Reporter | ||
Updated•6 years ago
|
Flags: needinfo?(franck.leroy)
Reporter | ||
Updated•6 years ago
|
Assignee: kwilson → franck.leroy
Whiteboard: [ca-compliance]
Comment 1•6 years ago
|
||
Hello Due to an overload on the OCSP server on December 12th, the requests have been routed to a more powerful server. Unfortunately there is a misconfiguration on this server (the property "Non existing is good" is checked). So I revert back to the old server today, and we will update the new server by January (a database synchronization with the CA-DB is needed to remove this property). The impact is that the OCSP server performance may be degraded in the meantime. Best regards Franck Leroy
Reporter | ||
Comment 2•6 years ago
|
||
The crt.sh report indicates that this problem has been fixed.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Updated•1 year ago
|
Product: NSS → CA Program
Updated•1 year ago
|
Summary: Certinomis/Docapost: Non-BR-Compliant OCSP Responders → Certinomis / Docapost: Non-BR-Compliant OCSP Responders
Updated•1 year ago
|
Whiteboard: [ca-compliance] → [ca-compliance] [ocsp-failure]
You need to log in
before you can comment on or make changes to this bug.
Description
•