Closed Bug 1579950 Opened Last month Closed 16 days ago

QuoVadis: OCSP handling of Certificate Transparency Pre-certs

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: s.davidson, Assigned: s.davidson)

Details

(Whiteboard: [ca-compliance])

Bugs have been disclosed by other CAs relating to the performance of OCSP with pre-certificates when corresponding final certificates are delayed or not issued. See WiseKey, GlobalSign, Let's Encrypt, and DigiCert bugs.

As a user of EJBCA, QuoVadis may be impacted. QuoVadis has been in discussions with PrimeKey since last week to investigate the issue (see related kB at https://support.primekey.com/news/posts/pre-certificates-in-an-ocsp-responder-information-mozilla-discussion).

If applicable, QuoVadis will file an incident report after our investigation is complete.

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Stephen: Thanks for filing this issue early, as you became aware, rather than waiting until you believe it's been fully resolved.

Can you please provide a timeline for providing additional details?

Assignee: wthayer → s.davidson
Whiteboard: [ca-compliance]
Flags: needinfo?(s.davidson)

At this time, I cannot provide a timeframe. We believe there are three issues:

  • Determining whether there are currently valid stalled pre-certs and revoking them
  • Implementing an ongoing fix to deal with stalled pre-certs
  • Ensuring that OCSP provides a compliant response for pre-certs
    The latter two involve assistance from an external vendor; we believe that many trusted CAs will face the same issues. I'll update the bug as reliable information becomes available.
Flags: needinfo?(s.davidson)

Per Mozilla policy, please provide weekly updates. Understanding when GlobalSign expects to know it’s current status seems like an appropriate first step and concrete deliverable.

Flags: needinfo?(s.davidson)

QuoVadis confirms that we have issued 372 “stalled” precerts for which corresponding actual certs with the same serial number were not issued. Many of these precerts do not appear in any CT log.

We currently show OCSP of revoked/certificateHold for those stalled precerts. We are testing a script which will change the status to revoked/superceded for the stalled precerts. We expect to complete that in production during the week of September 16.

We have been informed by PrimeKey that changing EJBCA so OCSP will respond good for a precert is targeted as a feature in EJBCA 7.3.1 tentatively for release in November.

We are looking into ways to improve monitoring for stalled precerts and improved OCSP validation in the interim.

Flags: needinfo?(s.davidson)

We endeavor to update disclosures in a timely manner; for clarity, am noting that this bug will progress when more information on the EJBCA feature change becomes available. This will allow us to respond "good" when precertificates are logged, and to more easily revoke precertificates when required.

Thank you for the incident report. Given the outcome of the discussion on the mozilla.dev.security.policy list [1], I'm resolving this incident as INVALID.

[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/tPrL7rNkBAAJ

Status: ASSIGNED → RESOLVED
Closed: 16 days ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.