Closed Bug 1582519 Opened 5 years ago Closed 5 years ago

DigiCert: Apple: Precertificates without corresponding certificates return OCSP value of "unknown"

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: wthayer, Assigned: certification_authority)

Details

(Whiteboard: [ca-compliance])

Apple posted the following to the mozilla.dev.security.policy forum on 13-September:

We’ve been following the discussions regarding how OCSP responders should handle Precertificates without corresponding certificates and what the appropriate response indicator should be (good, revoked, or unknown).

Based on the recent clarifications at [1], we want to inform the community that Apple’s OCSP responders return a status of “unknown” for Precertificates without a corresponding certificate. We have identified one Precertificate that did not result in a corresponding certificate for which our OCSP responders are returning a status of “unknown” (https://crt.sh/?id=1368484681).

We’ve updated the OCSP responders to respond “good” for that Precertificate and a long-term fix is in progress.

We appreciate the efforts being made to amend the Mozilla Root Store Policy to explicitly address matters relating to Certificate Transparency.

[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/24Fl9kc-AQAJ

Thank you for the incident report. Given the outcome of the discussion on the mozilla.dev.security.policy list [1], I'm resolving this incident as INVALID.

[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/tPrL7rNkBAAJ

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.