Closed
Bug 1483370
Opened 6 years ago
Closed 6 years ago
CCADB entries generated 2018-08-14T13:55:44Z
Categories
(Core :: Security Block-lists, Allow-lists, and other State, enhancement)
Core
Security Block-lists, Allow-lists, and other State
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: wthayer, Unassigned)
Details
Here are some entries: Please ensure that the entries are correct.
Reporter | ||
Comment 1•6 years ago
|
||
(3, 61F263F68DC83C12, AC Firmaprofesional - CFEA) no match found in CRL:
(5, 1EF001DC1C2163C8, AC Firmaprofesional - OTC) no match found in CRL:
(13, 61F742656C91575B12C795F1CA85CA49, CYTA CA) no match found in CRL:
(15, 7BD7E9F29A09E230EAA47C5573EED2A0, Alpha Bank CA) no match found in CRL:
(19, 5122125855911C6A79DF45507364B5FD, Universal Bank Ukraine CA) no match found in CRL:
(20, 216E6BC44090E4B1324463DE644F75BA, CYTA CA) no match found in CRL:
Reporter | ||
Comment 2•6 years ago
|
||
Kathleen: please verify that the entries in comment #1 should be added to OneCRL even though they're not revoked via the CA's CRL.
Blocks: 1480853
Flags: needinfo?(kwilson)
Comment 3•6 years ago
|
||
(In reply to Wayne Thayer [:wayne] from comment #1)
> (3, 61F263F68DC83C12, AC Firmaprofesional - CFEA) no match found in CRL:
>
> (5, 1EF001DC1C2163C8, AC Firmaprofesional - OTC) no match found in CRL:
Not Revoked, but these two certs are not intended for TLS, so CA asked to add to OneCRL via Bug #1465531.
>
> (13, 61F742656C91575B12C795F1CA85CA49, CYTA CA) no match found in CRL:
>
> (15, 7BD7E9F29A09E230EAA47C5573EED2A0, Alpha Bank CA) no match found in CRL:
>
> (19, 5122125855911C6A79DF45507364B5FD, Universal Bank Ukraine CA) no match
> found in CRL:
>
> (20, 216E6BC44090E4B1324463DE644F75BA, CYTA CA) no match found in CRL:
Not sure what is going on with DigiCert's CRLs! :-(
All 4 of these were previously listed in their CRLs -- I had verified this.
You can also see this in crt.sh:
https://crt.sh/?id=319514939
https://crt.sh/?id=12721460
https://crt.sh/?id=319515189
https://crt.sh/?id=319514867
However, I just re-downloaded the CRLs...
http://crl.adacom.com/c2ca-g4.crl
Last Update: Nov 24 00:00:00 2017 GMT
Next Update: Dec 8 23:59:59 2018 GMT
http://crl.adacom.com/c2ca-g3.crl
Last Update: Nov 19 00:00:00 2017 GMT
Next Update: Dec 3 23:59:59 2018 GMT
Do you have time to ping DigiCert about this?
We could proceed with this OneCRL update without these 4 entries, and reconsider them in our next batch.
Flags: needinfo?(kwilson)
Reporter | ||
Comment 4•6 years ago
|
||
Emailed Ben Wilson.
NI:Mark since I don't know how to remove these entries from the batch.
Flags: needinfo?(mgoodwin)
Comment 5•6 years ago
|
||
(In reply to Wayne Thayer [:wayne] from comment #4)
> Emailed Ben Wilson.
>
> NI:Mark since I don't know how to remove these entries from the batch.
Probably the best thing to do here is for you to log into kinto-admin, find the items we want ro remove and remove them from there. Once that's done you should be able to request review again and I can approve them at that point.
Ping if you need more information on how to do this (or just want me to be on hand while you try it).
Flags: needinfo?(mgoodwin)
Comment 6•6 years ago
|
||
(In reply to Mark Goodwin [:mgoodwin] from comment #5)
> Ping if you need more information on how to do this (or just want me to be
> on hand while you try it).
Some useful pointers:
* You'll need to be logged into the VPN to access kinto-admin.
* The changes you are concerned about are in the "certificates" collection in the "staging" bucket
* You can get information on the changed records by clicking 'details' next to 'changes' in the change summary
* Each record ID links to a more detailed view of that individual record - you can then match the serial number and issuer data of the record to what you're looking for and delete the record if you wish...
It occurs to me, with there being so many records, it may make sense for me to just reject the change and we can run the job again?
Comment 7•6 years ago
|
||
I contacted ADACOM to warn them about the outdated CRLs and the current ones are now posted again.
Reporter | ||
Comment 8•6 years ago
|
||
I confirmed that the 4 certificates listed in comment 3 are now in the CRLs.
Mark: we don't need to remove these entries. Please proceed with your review of this change.
I created bug 1483639 requesting an explanation for the outdated CRLs.
Reporter | ||
Comment 9•6 years ago
|
||
Cancelling this bug because attachment were not generated. This OneCRL run is being processed in bug 1484351.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
Comment 10•3 years ago
|
||
Moving bug to Core::Security Block-lists, Allow-lists, and other State.
Component: Blocklist Policy Requests → Security Block-lists, Allow-lists, and other State
Product: Toolkit → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•