Closed Bug 1580393 Opened 5 months ago Closed 4 months ago

HARICA: OCSP Responder Returned "Unauthorized" for Some Precertificates

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: jimmy, Assigned: jimmy)

Details

(Whiteboard: [ca-compliance])

Attachments

(1 file)

HARICA has been monitoring m.d.s.p. and the recent discussions about incorrect OCSP responses for pre-certificates for which no final certificate was issued. HARICA is using EJBCA so we are affected by this issue.

At this time we have created a ticket to PrimeKey and we are working towards a solution to this problem.

PrimeKey has acknowledged the issue and has made publicly available the following announcement:

https://support.primekey.com/news/posts/edited-pre-certificates-in-an-ocsp-responder-information-mozilla-discussion

to assist its customers detect and correct the problem. HARICA will provide a full incident report following Mozilla's template once we apply the updates and correct the problem.

We expect the workaround to be tested and completed between 24 and 48 hours.

I "cloned" LE's bug and see that this also copies the cc list as well. Apparently that was the first time I tried that. Apologies for the extra spam :-)

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee: wthayer → jimmy
Type: defect → task

HARICA will provide a full incident report following Mozilla's template once we apply the updates and correct the problem.

Can you provide a concrete timeline for that?

Flags: needinfo?(jimmy)
Whiteboard: [ca-compliance]

Based on the information we got from PrimeKey, we are currently writing the necessary scripts to scan and correct the problem. As I mentioned, we expect to test and complete the workaround between 24 and 48 hours. Hopefully the mitigation will be completed by Friday, September 13.
We will prepare the full incident report by Friday, September 20.

Flags: needinfo?(jimmy)

Thanks. It was unclear whether you were anticipating 24-48 hours after an undetermined patch time.

Added a note to confirm Friday the initial mitigation and setting N-I for then, and then we can update to September 20 with the incident report.

Flags: needinfo?(jimmy)
Whiteboard: [ca-compliance] → [ca-compliance] Next Update - 13-September 2019

This is our complete Incident report. We applied the mitigation early today (Greek time) and finished the report. Please let us know if you have any questions or concerns.

Flags: needinfo?(jimmy)
Whiteboard: [ca-compliance] Next Update - 13-September 2019 → [ca-compliance]

Thanks. Note that in Bug 1551390 (with references to the earlier Bug 1544933) there was earlier discussion about "unknown" statuses. These were reported in the overall list of Certinomis issues - https://groups.google.com/d/msg/mozilla.dev.security.policy/rmU311hOIIc/36RWof79CgAJ

Did HARICA's management discover/follow those discussions in their examination of this issue?

Flags: needinfo?(jimmy)

We were aware about the discussion around Certinomis issues. At first I assumed you were referring to https://wiki.mozilla.org/CA/Certinomis_Issues#Issue_E:_Non-BR-Compliant_OCSP_Responders_.282017.29 because that was part of the public discussion in m.d.s.p. HARICA's OCSP responders are compliant with this requirement (BRs section 4.9.10).

Then I saw Bug 1551390, which was briefly referenced in Wayne's final (conclusion) email https://groups.google.com/d/msg/mozilla.dev.security.policy/rmU311hOIIc/oYuxQJbEAQAJ. I must admit that it is possible we missed that reference. I believe a more meaningful and detailed discussion about "unknown" status of pre-certificates took place recently, and it is still going.

In any case, thank you for pointing out this reference.

Flags: needinfo?(jimmy)

Thank you for the incident report. Given the outcome of the discussion on the mozilla.dev.security.policy list [1], I'm resolving this incident as INVALID.

[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/tPrL7rNkBAAJ

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.