Closed Bug 1426238 Opened 6 years ago Closed 6 years ago

QuoVadis: Non-BR-Compliant OCSP Responder


(CA Program :: CA Certificate Compliance, task)

Not set


(Not tracked)



(Reporter: wthayer, Assigned: sdavidson, NeedInfo)


(Whiteboard: [ca-compliance] [ocsp-failure])

The OCSP responder for the QuoVadis ElDI-V CA G1 intermediate is returning a good response for an invalid serial number as reported here:,expired,onecrl&randomserial=Good&sort=2&dir=v

As per section 4.9.10 of the BRs, OCSP responders MUST NOT respond with a “good” status for unissued certificates. The effective date for this requirement was 2013-08-01.

Please provide an incident report in this bug, as described here:
Assignee: kwilson → sdavidson
Flags: needinfo?(sdavidson)
Whiteboard: [ca-compliance]
Acknowledged.  I will respond shortly, but confirm that this misconfiguration was addressed quickly when Rob Stradling's report was published.
We became aware that the QuoVadis ElDI-V CA G1 intermediate was returning good for random serials via Rob Stradling's report on 12/11.

The issue was resolved on 12/13.

ElDI-V CA G1 has the "any policy" set and thus falls under the BR.  However, the CA does not have any TLS/SSL policies configured, and has never been used to issue end entity TSL/SSL certificates.  

It was misunderstood that the CA did not have to comply with the BR.  Additional checks were performed to ensure that no other CAs remained out of compliance in this regard.

External auditors will be informed.
Per the report, this issue has been resolved.
Closed: 6 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [ocsp-failure]
You need to log in before you can comment on or make changes to this bug.