I can confirm that as of this moment the VISA OCSP responders are still responding GOOD for non-existent certificates. VISA was originally contacted by me on August 29 so it has now been over 21 days since initial report.
-Paul On September 21, 2017 at 9:32:12 PM, Gervase Markham via dev-security-policy (dev-security-policy@lists.mozilla.org) wrote: Additionally, 13 days ago it was reported to VISA that their OCSP responder was misconfigured to return "good" responses for non-existent certificates: https://bugzilla.mozilla.org/show_bug.cgi?id=1398261 As far as I can see, this is the case for their end-entity certificates, not just some roots or intermediates. Two weeks later, they have not yet provided any response. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy