Closed Bug 1579413 Opened 4 years ago Closed 4 years ago

GlobalSign: OCSP Responder Returns invalid values for Some Precertificates

Categories

(CA Program :: CA Certificate Compliance, defect)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: douglas.beattie, Assigned: douglas.beattie)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36

Steps to reproduce:

Based on announcements by DigiCert and Let's Encrypt, GlobalSign has found that our Precertificates without corresponding certificates also return Unauthorized or Unknown. We're working with PrimeKey on a patch and are also updating our own OCSP services to return the proper values.

Here are 2 examples:
https://crt.sh/?id=1707464536&opt=ocsp
https://crt.sh/?id=1725532369&opt=ocsp

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee: wthayer → douglas.beattie
Whiteboard: [ca-compliance]

Doug: Thanks for filing this issue early, as you became aware, rather than waiting until you believe it's been fully resolved.

It's unclear if this was meant to be the extent of the incident report or whether GlobalSign is preparing further updates. If planning to provide additional details, can you provide a timeline for that?

Flags: needinfo?(douglas.beattie)

Ryan: We'll be providing regular updates and detail next week and finish up with an incident report that follows the Mozilla template.

As I thought about this more, our OCSP responses are OK and are not really the issue. The core problem is that Mozilla says CAs MUST NOT issue certificates that have cRLDistributionPoints or OCSP authorityInfoAccess extensions for which no operational CRL or OCSP service exists. Since precertificates are considered certificates, we need to provide operational OCSP and CRL services for them, which isn't currently possible. This is going to take a bit to complete, but we'll keep this ticket updated with the status.

Thanks. Please provide weekly updates on the progress to a complete timeline for remediation.

Whiteboard: [ca-compliance] → [ca-compliance] Next Update - 13-September 2019

Status update:

  • PrimeKey has opened a ticket to resolve this in the November time-frame in EJBCA 7.3.1
  • We've opened tickets for our GlobalSign developed OCSP service to store the precertificates in our main certificate database so they are treated the same as a certificate when it comes to OCSP services. This will permit proper responses to be provided.

Our next status update should be in about a month. We continue to follow the discussions on mdsp list and updates to the Mozilla policy.

Thank you for the incident report. Given the outcome of the discussion on the mozilla.dev.security.policy list [1], I'm resolving this incident as INVALID.

[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/tPrL7rNkBAAJ

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(douglas.beattie)
Resolution: --- → INVALID
Whiteboard: [ca-compliance] Next Update - 13-September 2019 → [ca-compliance]
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.