I'll look into this immediate, but have you checked to see whether these certificates have OCSP AIAs in them? Or did you find these by searching our CRLs.
-----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Corey Bonnell via dev-security-policy Sent: Sunday, January 27, 2019 8:50 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Incorrect OCSP status for revoked intermediates Hello, I discovered that the following Baltimore CyberTrust Root-chained intermediates are disclosed in CCADB and are revoked via CRL, but the OCSP responder is returning "good": DigiCert crt.sh URL(s),notBefore,notAfter,subject CN,issuer CN https://clicktime.symantec.com/3GqSUWeMsiuccdDg8FV74mK7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D3528065 ,2014-02-12,2021-02-12,Bechtel External Policy CA 1,Baltimore CyberTrust Root https://clicktime.symantec.com/3QitWkthhibn6J3dyv2WjMK7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D91478106 ,2014-04-16,2024-04-16,Dell Inc. Enterprise CA,Baltimore CyberTrust Root https://clicktime.symantec.com/3GDackCrAv2JK3LE1ejLmCb7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D12625621 ,2014-04-16,2024-04-16,Dell Inc. Enterprise CA,Baltimore CyberTrust Root https://clicktime.symantec.com/3CPUS2fftSKXmYYJpwrxa997Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D91478107 ,2014-04-16,2024-04-16,Dell Inc. Enterprise CA,Baltimore CyberTrust Root https://clicktime.symantec.com/34vSegkxwLnEhzzA2c8n23e7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D12620974 ,2014-09-10,2024-09-10,Dell Inc. Enterprise CA,Baltimore CyberTrust Root https://clicktime.symantec.com/32GsGFkYLsck8uJmXJc9Ky17Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D6906659 ,2015-03-03,2022-03-03,ABB Intermediate CA 3,Baltimore CyberTrust Root https://clicktime.symantec.com/3Gbhskg8uybb9uykbTxfo1h7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D6976985 ,2015-03-18,2022-03-18,Bechtel External Policy CA 1,Baltimore CyberTrust Root https://clicktime.symantec.com/3QaVKssB27cqRnuH6nnqUrX7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D35335507 ,2015-05-21,2022-05-21,ABB Intermediate CA 3,Baltimore CyberTrust Root https://clicktime.symantec.com/3TjvAB1yvCCo15dr1ecGvbd7Vc?u=https%3A%2F%2Fcr t.sh%2F%3Fid%3D78292184 ,2016-11-30,2020-11-30,Eurida Primary CA,Baltimore CyberTrust Root Given that software may rely on OCSP responses for revocation checking (as opposed to CRLs or some other mechanism), I wanted to notify the Mozilla community of this inconsistent revocation information. Thanks, Corey _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://clicktime.symantec.com/3XCAvWmYdPvvFEe9DtH7i3T7Vc?u=https%3A%2F%2Fli sts.mozilla.org%2Flistinfo%2Fdev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
