Closed Bug 692992 Opened 13 years ago Closed 11 years ago

OCSP "UNKNOWN" responses should be treated as failures

Categories

(NSS :: Libraries, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 745747

People

(Reporter: aerowolf, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Build ID: 20110902133214

Steps to reproduce:

(I'm not sure if this is NSS or PSM)



Expected results:

OCSP "UNKNOWN" responses are a statement from non-authoritative OCSP servers that they don't know the revocation status, and that the original issuer should be consulted.

OCSP "UNKNOWN" from the authoritative issuer is an error: it states that the CA doesn't know if it ever even issued the certificate, much less if it's valid.

As we have seen with the DigiNotar incident, it is sometimes possible to issue certificates without keeping the records around, preventing standard revocation mechanisms from working.  If the originating CA doesn't know whether it's valid or not, it probably shouldn't be part of Mozilla's trust list.
If you flip the strict OCSP checking pref then UNKNOWN responses are treated as failures. We'd sort of get this for free when we make that the default, but since we're a long ways from being able to do that (need to build a caching system to compensate for the flaky reality of today's OCSP infrastructure) this is still a valid request.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to Daniel Veditz [:dveditz] from comment #1)
> If you flip the strict OCSP checking pref then UNKNOWN responses are treated
> as failures.

As it turns out, they are already treated as failures irrespective of the value of the security.OCSP.require pref.

Duplicating to bug 745747 which, though filed later, has more information.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.