Closed Bug 1483370 Opened 6 years ago Closed 6 years ago

CCADB entries generated 2018-08-14T13:55:44Z

Categories

(Core :: Security Block-lists, Allow-lists, and other State, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: wthayer, Unassigned)

Details

Here are some entries: Please ensure that the entries are correct.
(3, 61F263F68DC83C12, AC Firmaprofesional - CFEA) no match found in CRL: (5, 1EF001DC1C2163C8, AC Firmaprofesional - OTC) no match found in CRL: (13, 61F742656C91575B12C795F1CA85CA49, CYTA CA) no match found in CRL: (15, 7BD7E9F29A09E230EAA47C5573EED2A0, Alpha Bank CA) no match found in CRL: (19, 5122125855911C6A79DF45507364B5FD, Universal Bank Ukraine CA) no match found in CRL: (20, 216E6BC44090E4B1324463DE644F75BA, CYTA CA) no match found in CRL:
Kathleen: please verify that the entries in comment #1 should be added to OneCRL even though they're not revoked via the CA's CRL.
Blocks: 1480853
Flags: needinfo?(kwilson)
(In reply to Wayne Thayer [:wayne] from comment #1) > (3, 61F263F68DC83C12, AC Firmaprofesional - CFEA) no match found in CRL: > > (5, 1EF001DC1C2163C8, AC Firmaprofesional - OTC) no match found in CRL: Not Revoked, but these two certs are not intended for TLS, so CA asked to add to OneCRL via Bug #1465531. > > (13, 61F742656C91575B12C795F1CA85CA49, CYTA CA) no match found in CRL: > > (15, 7BD7E9F29A09E230EAA47C5573EED2A0, Alpha Bank CA) no match found in CRL: > > (19, 5122125855911C6A79DF45507364B5FD, Universal Bank Ukraine CA) no match > found in CRL: > > (20, 216E6BC44090E4B1324463DE644F75BA, CYTA CA) no match found in CRL: Not sure what is going on with DigiCert's CRLs! :-( All 4 of these were previously listed in their CRLs -- I had verified this. You can also see this in crt.sh: https://crt.sh/?id=319514939 https://crt.sh/?id=12721460 https://crt.sh/?id=319515189 https://crt.sh/?id=319514867 However, I just re-downloaded the CRLs... http://crl.adacom.com/c2ca-g4.crl Last Update: Nov 24 00:00:00 2017 GMT Next Update: Dec 8 23:59:59 2018 GMT http://crl.adacom.com/c2ca-g3.crl Last Update: Nov 19 00:00:00 2017 GMT Next Update: Dec 3 23:59:59 2018 GMT Do you have time to ping DigiCert about this? We could proceed with this OneCRL update without these 4 entries, and reconsider them in our next batch.
Flags: needinfo?(kwilson)
Emailed Ben Wilson. NI:Mark since I don't know how to remove these entries from the batch.
Flags: needinfo?(mgoodwin)
(In reply to Wayne Thayer [:wayne] from comment #4) > Emailed Ben Wilson. > > NI:Mark since I don't know how to remove these entries from the batch. Probably the best thing to do here is for you to log into kinto-admin, find the items we want ro remove and remove them from there. Once that's done you should be able to request review again and I can approve them at that point. Ping if you need more information on how to do this (or just want me to be on hand while you try it).
Flags: needinfo?(mgoodwin)
(In reply to Mark Goodwin [:mgoodwin] from comment #5) > Ping if you need more information on how to do this (or just want me to be > on hand while you try it). Some useful pointers: * You'll need to be logged into the VPN to access kinto-admin. * The changes you are concerned about are in the "certificates" collection in the "staging" bucket * You can get information on the changed records by clicking 'details' next to 'changes' in the change summary * Each record ID links to a more detailed view of that individual record - you can then match the serial number and issuer data of the record to what you're looking for and delete the record if you wish... It occurs to me, with there being so many records, it may make sense for me to just reject the change and we can run the job again?
I contacted ADACOM to warn them about the outdated CRLs and the current ones are now posted again.
I confirmed that the 4 certificates listed in comment 3 are now in the CRLs. Mark: we don't need to remove these entries. Please proceed with your review of this change. I created bug 1483639 requesting an explanation for the outdated CRLs.
Cancelling this bug because attachment were not generated. This OneCRL run is being processed in bug 1484351.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
No longer blocks: 1480853

Moving bug to Core::Security Block-lists, Allow-lists, and other State.

Component: Blocklist Policy Requests → Security Block-lists, Allow-lists, and other State
Product: Toolkit → Core
You need to log in before you can comment on or make changes to this bug.