HARICA: OCSP Responder Returned "Unauthorized" for Some Precertificates
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: dzacharo, Assigned: dzacharo)
Details
(Whiteboard: [ca-compliance])
Attachments
(1 file)
|
256.76 KB,
application/pdf
|
Details |
HARICA has been monitoring m.d.s.p. and the recent discussions about incorrect OCSP responses for pre-certificates for which no final certificate was issued. HARICA is using EJBCA so we are affected by this issue.
At this time we have created a ticket to PrimeKey and we are working towards a solution to this problem.
PrimeKey has acknowledged the issue and has made publicly available the following announcement:
to assist its customers detect and correct the problem. HARICA will provide a full incident report following Mozilla's template once we apply the updates and correct the problem.
We expect the workaround to be tested and completed between 24 and 48 hours.
|
Assignee | |
Comment 1•6 years ago
|
||
I "cloned" LE's bug and see that this also copies the cc list as well. Apparently that was the first time I tried that. Apologies for the extra spam :-)
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Comment 2•6 years ago
|
||
HARICA will provide a full incident report following Mozilla's template once we apply the updates and correct the problem.
Can you provide a concrete timeline for that?
|
|
Assignee | |
Comment 3•6 years ago
|
||
Based on the information we got from PrimeKey, we are currently writing the necessary scripts to scan and correct the problem. As I mentioned, we expect to test and complete the workaround between 24 and 48 hours. Hopefully the mitigation will be completed by Friday, September 13.
We will prepare the full incident report by Friday, September 20.
|
|
||
Comment 4•6 years ago
|
||
Thanks. It was unclear whether you were anticipating 24-48 hours after an undetermined patch time.
Added a note to confirm Friday the initial mitigation and setting N-I for then, and then we can update to September 20 with the incident report.
|
|
Assignee | |
Comment 5•6 years ago
|
||
This is our complete Incident report. We applied the mitigation early today (Greek time) and finished the report. Please let us know if you have any questions or concerns.
|
|
||
Updated•6 years ago
|
|
|
||
Comment 6•6 years ago
|
||
Thanks. Note that in Bug 1551390 (with references to the earlier Bug 1544933) there was earlier discussion about "unknown" statuses. These were reported in the overall list of Certinomis issues - https://groups.google.com/d/msg/mozilla.dev.security.policy/rmU311hOIIc/36RWof79CgAJ
Did HARICA's management discover/follow those discussions in their examination of this issue?
|
|
Assignee | |
Comment 7•6 years ago
|
||
We were aware about the discussion around Certinomis issues. At first I assumed you were referring to https://wiki.mozilla.org/CA/Certinomis_Issues#Issue_E:_Non-BR-Compliant_OCSP_Responders_.282017.29 because that was part of the public discussion in m.d.s.p. HARICA's OCSP responders are compliant with this requirement (BRs section 4.9.10).
Then I saw Bug 1551390, which was briefly referenced in Wayne's final (conclusion) email https://groups.google.com/d/msg/mozilla.dev.security.policy/rmU311hOIIc/oYuxQJbEAQAJ. I must admit that it is possible we missed that reference. I believe a more meaningful and detailed discussion about "unknown" status of pre-certificates took place recently, and it is still going.
In any case, thank you for pointing out this reference.
|
||
Comment 8•6 years ago
|
||
Thank you for the incident report. Given the outcome of the discussion on the mozilla.dev.security.policy list [1], I'm resolving this incident as INVALID.
[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/tPrL7rNkBAAJ
|
||
Updated•3 years ago
|
Description
•