Sectigo: "unauthorized" OCSP responses
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: mpalmer, Assigned: Robin.Alden)
Details
(Whiteboard: [ca-compliance])
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36
Steps to reproduce:
Made OCSP responses for certificates https://crt.sh/?id=2445497992 and https://crt.sh/?id=2445497574 to http://ocsp.comodoca.com.
Actual results:
HTTP response is 200 OK, but OCSP status is 6 ("unauthorized"), when queried both from my own OCSP checker, and crt.sh. Other requests to the same OCSP responders, for different certificates, are successful.
Expected results:
OCSP response should be 0 ("successful").
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 1•4 years ago
|
||
Both of these certificates are expired.
Sectigo do not generate OCSP responses for expired SSL certificates.
|
|
||
Comment 2•4 years ago
|
||
Ugh, sorry about that Robin. I’ll open an issue on crt.sh to help make that more prominent.
|
||
Comment 3•4 years ago
|
||
Just to add a reference for this behaviour:
We use RFC5019's extended definition of "unauthorized". https://tools.ietf.org/html/rfc5019#section-2.2.3 says:
Also, in order to ensure the database of revocation information does
not grow unbounded over time, the responder MAY remove the status
records of expired certificates. Requests from clients for
certificates whose record has been removed will result in an
OCSPResponseStatus of "unauthorized".
Ryan, thanks for opening https://github.com/crtsh/certwatch_db/issues/73. I'll deal with it shortly.
Apologies for this incorrect report. I usually don't deal in expired certs, so this corner case tripped things up.
|
||
Updated•2 years ago
|
Description
•