Closed Bug 1426238 Opened 2 years ago Closed 2 years ago

QuoVadis: Non-BR-Compliant OCSP Responder

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wayne, Assigned: sdavidson, NeedInfo)

Details

(Whiteboard: [ca-compliance])

The OCSP responder for the QuoVadis ElDI-V CA G1 intermediate is returning a good response for an invalid serial number as reported here: https://crt.sh/ocsp-responders?randomserial=Good&trustedBy=Mozilla&trustedFor=Server%20Authentication&trustedExclude=constrained,expired,onecrl&randomserial=Good&sort=2&dir=v

As per section 4.9.10 of the BRs, OCSP responders MUST NOT respond with a “good” status for unissued certificates. The effective date for this requirement was 2013-08-01.

Please provide an incident report in this bug, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report
Assignee: kwilson → sdavidson
Flags: needinfo?(sdavidson)
Whiteboard: [ca-compliance]
Acknowledged.  I will respond shortly, but confirm that this misconfiguration was addressed quickly when Rob Stradling's report was published.
We became aware that the QuoVadis ElDI-V CA G1 intermediate was returning good for random serials via Rob Stradling's report on 12/11.

The issue was resolved on 12/13.

ElDI-V CA G1 has the "any policy" set and thus falls under the BR.  However, the CA does not have any TLS/SSL policies configured, and has never been used to issue end entity TSL/SSL certificates.  

It was misunderstood that the CA did not have to comply with the BR.  Additional checks were performed to ensure that no other CAs remained out of compliance in this regard.

External auditors will be informed.
Per the crt.sh report, this issue has been resolved.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.