Closed Bug 1426233 Opened 2 years ago Closed 2 years ago

Camerfirma: Non-BR-Compliant OCSP Responders

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wayne, Assigned: ramirom)

Details

(Whiteboard: [ca-compliance])

The OCSP responder for the InfoCert Organization Validation CA 3 and the Intesa Sanpaolo Organization Validation CA intermediates are returning a 404 for a GET request and a good response for an invalid serial number as reported here: https://crt.sh/ocsp-responders?randomserial=Good&trustedBy=Mozilla&trustedFor=Server%20Authentication&trustedExclude=constrained,expired,onecrl&randomserial=Good&sort=2&dir=v

As per section 4.9.10, OCSP responders must support the GET method. 

As per section 4.9.10 of the BRs, OCSP responders MUST NOT respond with a “good” status for unissued certificates. The effective date for this requirement was 2013-08-01.

Please provide an incident report in this bug, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Assignee: kwilson → ramirom
Flags: needinfo?(ramirom)
Whiteboard: [ca-compliance]
Hello Wayne,

I've been awared of this problem via https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/C2vTpvouP3g at 2017/12/12 06:55 (UTC)

2017/12/12 07:00 (UTC) I contacted the technical team that manages these subCAs to correct these errors.
2017/12/19 16:42 (UTC) The technical team that manages these subCAs confirmed to me that the issue about the GET method was solved for both subCAs and the issue about the OCSP 'good' response for unissued certificates had been solved for the InfoCert subCA.

We haven't considered for now the request to stop issuing certificates of these subCAs cause there aren't problematic certificates derived from this problems.

The OCSP server product of InfoCert and Intesa Sanpaolo was not prepared for 4.9.10 of the BRs. The audits that were presented prior to the issuance of the SubCA certificates, since they were not directly operated by Camerfirma, were ETSI EN 319 411-1 & ETSI EN 319 411-2 and both issues were not reported to us by the auditor. 

About Intensa Sanpaolo's OCSP service the development team tells us that in the next two days (12/22/2017) it will be solved.

We are going to ask InforCert and Intesa Sanpaolo in addition to the annual audits an annual BR self assessment.

Regards
Juan Angel
Flags: needinfo?(ramirom)
Hello,

Last 22nd December the issue about Intensa Sanpaolo's OCSP service was solved.

BR
Juan Angel
Hello Juan Angel,

I've confirmed that these OCSP responders are no longer on the crt.sh report.

Your incident report does not provide enough information for items 6 and 7. Specifically:
- what are you doing to ensure that there are no other BR requirements that your subCAs are failing to meet? Relying on audits alone does not appear to be enough.
- what are you doing to ensure that these OCSP requirements will continue to be met in the future? When will these actions be completed?
Flags: needinfo?(martin_ja)
Hello Wayne,

- what are you doing to ensure that there are no other BR requirements that your subCAs are failing to meet? Relying on audits alone does not appear to be enough.

---> We've included in our procedures to require these subCAs an annual BR self-assessment. 

- what are you doing to ensure that these OCSP requirements will continue to be met in the future? When will these actions be completed?

--> We've included in our procedures to check every day https://crt.sh/ocsp-responders?randomserial=Good&trustedBy=Mozilla&trustedFor=Server%20Authentication&trustedExclude=constrained,expired,onecrl&randomserial=Good&sort=2&dir=v 
--> We have incorporated to our team a PKI senior expert in charge of CAB FORUM distribution list, MDSP, CCADB, self-assessment and communication management. This person is in charge of identifying changes to make sure that, in future, all ramifications of all changes to the BRs are incorporated into our operations both procedural and technical.

BR
Juan Angel
Flags: needinfo?(martin_ja)
Thank you for the response Juan Angel. I am marking this issue as resolved.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.