QuoVadis: OCSP handling of Certificate Transparency Pre-certs
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: stephen.davidson, Assigned: stephen.davidson)
Details
(Whiteboard: [ca-compliance])
Bugs have been disclosed by other CAs relating to the performance of OCSP with pre-certificates when corresponding final certificates are delayed or not issued. See WiseKey, GlobalSign, Let's Encrypt, and DigiCert bugs.
As a user of EJBCA, QuoVadis may be impacted. QuoVadis has been in discussions with PrimeKey since last week to investigate the issue (see related kB at https://support.primekey.com/news/posts/pre-certificates-in-an-ocsp-responder-information-mozilla-discussion).
If applicable, QuoVadis will file an incident report after our investigation is complete.
Updated•5 years ago
|
Comment 1•5 years ago
|
||
Stephen: Thanks for filing this issue early, as you became aware, rather than waiting until you believe it's been fully resolved.
Can you please provide a timeline for providing additional details?
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
At this time, I cannot provide a timeframe. We believe there are three issues:
- Determining whether there are currently valid stalled pre-certs and revoking them
- Implementing an ongoing fix to deal with stalled pre-certs
- Ensuring that OCSP provides a compliant response for pre-certs
The latter two involve assistance from an external vendor; we believe that many trusted CAs will face the same issues. I'll update the bug as reliable information becomes available.
Comment 3•5 years ago
|
||
Per Mozilla policy, please provide weekly updates. Understanding when GlobalSign expects to know it’s current status seems like an appropriate first step and concrete deliverable.
Assignee | ||
Comment 4•5 years ago
|
||
QuoVadis confirms that we have issued 372 “stalled” precerts for which corresponding actual certs with the same serial number were not issued. Many of these precerts do not appear in any CT log.
We currently show OCSP of revoked/certificateHold for those stalled precerts. We are testing a script which will change the status to revoked/superceded for the stalled precerts. We expect to complete that in production during the week of September 16.
We have been informed by PrimeKey that changing EJBCA so OCSP will respond good for a precert is targeted as a feature in EJBCA 7.3.1 tentatively for release in November.
We are looking into ways to improve monitoring for stalled precerts and improved OCSP validation in the interim.
Assignee | ||
Comment 5•5 years ago
|
||
We endeavor to update disclosures in a timely manner; for clarity, am noting that this bug will progress when more information on the EJBCA feature change becomes available. This will allow us to respond "good" when precertificates are logged, and to more easily revoke precertificates when required.
Comment 6•5 years ago
|
||
Thank you for the incident report. Given the outcome of the discussion on the mozilla.dev.security.policy list [1], I'm resolving this incident as INVALID.
[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/tPrL7rNkBAAJ
Updated•2 years ago
|
Description
•