1426238 - QuoVadis: Non-BR-Compliant OCSP Responder

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Wayne Thayer]

The OCSP responder for the QuoVadis ElDI-V CA G1 intermediate is returning a good response for an invalid serial number as reported here: https://crt.sh/ocsp-responders?randomserial=Good&trustedBy=Mozilla&trustedFor=Server%20Authentication&trustedExclude=constrained,expired,onecrl&randomserial=Good&sort=2&dir=v

As per section 4.9.10 of the BRs, OCSP responders MUST NOT respond with a “good” status for unissued certificates. The effective date for this requirement was 2013-08-01.

Please provide an incident report in this bug, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report

Comment 1

[Stephen Davidson]

Acknowledged.  I will respond shortly, but confirm that this misconfiguration was addressed quickly when Rob Stradling's report was published.

Comment 2

[Stephen Davidson]

We became aware that the QuoVadis ElDI-V CA G1 intermediate was returning good for random serials via Rob Stradling's report on 12/11.

The issue was resolved on 12/13.

ElDI-V CA G1 has the "any policy" set and thus falls under the BR.  However, the CA does not have any TLS/SSL policies configured, and has never been used to issue end entity TSL/SSL certificates.  

It was misunderstood that the CA did not have to comply with the BR.  Additional checks were performed to ensure that no other CAs remained out of compliance in this regard.

External auditors will be informed.

Comment 3

[Wayne Thayer]

Per the crt.sh report, this issue has been resolved.