OCSP "UNKNOWN" responses should be treated as failures

RESOLVED DUPLICATE of bug 745747

Status

RESOLVED DUPLICATE of bug 745747
7 years ago
6 years ago

People

(Reporter: aerowolf, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Build ID: 20110902133214

Steps to reproduce:

(I'm not sure if this is NSS or PSM)



Expected results:

OCSP "UNKNOWN" responses are a statement from non-authoritative OCSP servers that they don't know the revocation status, and that the original issuer should be consulted.

OCSP "UNKNOWN" from the authoritative issuer is an error: it states that the CA doesn't know if it ever even issued the certificate, much less if it's valid.

As we have seen with the DigiNotar incident, it is sometimes possible to issue certificates without keeping the records around, preventing standard revocation mechanisms from working.  If the originating CA doesn't know whether it's valid or not, it probably shouldn't be part of Mozilla's trust list.
If you flip the strict OCSP checking pref then UNKNOWN responses are treated as failures. We'd sort of get this for free when we make that the default, but since we're a long ways from being able to do that (need to build a caching system to compensate for the flaky reality of today's OCSP infrastructure) this is still a valid request.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 2

6 years ago
(In reply to Daniel Veditz [:dveditz] from comment #1)
> If you flip the strict OCSP checking pref then UNKNOWN responses are treated
> as failures.

As it turns out, they are already treated as failures irrespective of the value of the security.OCSP.require pref.

Duplicating to bug 745747 which, though filed later, has more information.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 745747
You need to log in before you can comment on or make changes to this bug.