Thanks Corey and Ben. This issue does appear to have been resolved. I've created a bug requesting an incident report: https://bugzilla.mozilla.org/show_bug.cgi?id=1523676
- Wayne On Sun, Jan 27, 2019 at 5:48 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We believe this issue has been fixed. > ________________________________ > From: Ben Wilson > Sent: Sunday, January 27, 2019 2:22:45 PM > To: Corey Bonnell; mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Incorrect OCSP status for revoked intermediates > > Thanks, Corey. As I said, we'll try to get this resolved as soon as > possible and file an incident report. > > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > On > Behalf Of Corey Bonnell via dev-security-policy > Sent: Sunday, January 27, 2019 2:21 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Incorrect OCSP status for revoked intermediates > > On Sunday, January 27, 2019 at 4:09:44 PM UTC-5, Ben Wilson wrote: > > I'll look into this immediate, but have you checked to see whether > > these certificates have OCSP AIAs in them? Or did you find these by > > searching our CRLs. > > > > -----Original Message----- > > From: dev-security-policy > > <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Corey > > Bonnell via dev-security-policy > > Sent: Sunday, January 27, 2019 8:50 AM > > To: mozilla-dev-security-pol...@lists.mozilla.org > > Subject: Incorrect OCSP status for revoked intermediates > > > > Hello, > > I discovered that the following Baltimore CyberTrust Root-chained > > intermediates are disclosed in CCADB and are revoked via CRL, but the > > OCSP responder is returning "good": > > > > DigiCert > > crt.sh URL(s),notBefore,notAfter,subject CN,issuer CN > > https://clicktime.symantec.com/3GqSUWeMsiuccdDg8FV74mK7Vc?u=https%3A%2 > > F%2Fcr > > t.sh%2F%3Fid%3D3528065 ,2014-02-12,2021-02-12,Bechtel External Policy > > CA 1,Baltimore CyberTrust Root > > https://clicktime.symantec.com/3QitWkthhibn6J3dyv2WjMK7Vc?u=https%3A%2 > > F%2Fcr > > t.sh%2F%3Fid%3D91478106 ,2014-04-16,2024-04-16,Dell Inc. Enterprise > > CA,Baltimore CyberTrust Root > > https://clicktime.symantec.com/3GDackCrAv2JK3LE1ejLmCb7Vc?u=https%3A%2 > > F%2Fcr > > t.sh%2F%3Fid%3D12625621 ,2014-04-16,2024-04-16,Dell Inc. Enterprise > > CA,Baltimore CyberTrust Root > > https://clicktime.symantec.com/3CPUS2fftSKXmYYJpwrxa997Vc?u=https%3A%2 > > F%2Fcr > > t.sh%2F%3Fid%3D91478107 ,2014-04-16,2024-04-16,Dell Inc. Enterprise > > CA,Baltimore CyberTrust Root > > https://clicktime.symantec.com/34vSegkxwLnEhzzA2c8n23e7Vc?u=https%3A%2 > > F%2Fcr > > t.sh%2F%3Fid%3D12620974 ,2014-09-10,2024-09-10,Dell Inc. Enterprise > > CA,Baltimore CyberTrust Root > > https://clicktime.symantec.com/32GsGFkYLsck8uJmXJc9Ky17Vc?u=https%3A%2 > > F%2Fcr > > t.sh%2F%3Fid%3D6906659 ,2015-03-03,2022-03-03,ABB Intermediate CA > > 3,Baltimore CyberTrust Root > > https://clicktime.symantec.com/3Gbhskg8uybb9uykbTxfo1h7Vc?u=https%3A%2 > > F%2Fcr > > t.sh%2F%3Fid%3D6976985 ,2015-03-18,2022-03-18,Bechtel External Policy > > CA 1,Baltimore CyberTrust Root > > https://clicktime.symantec.com/3QaVKssB27cqRnuH6nnqUrX7Vc?u=https%3A%2 > > F%2Fcr > > t.sh%2F%3Fid%3D35335507 ,2015-05-21,2022-05-21,ABB Intermediate CA > > 3,Baltimore CyberTrust Root > > https://clicktime.symantec.com/3TjvAB1yvCCo15dr1ecGvbd7Vc?u=https%3A%2 > > F%2Fcr > > t.sh%2F%3Fid%3D78292184 ,2016-11-30,2020-11-30,Eurida Primary > > CA,Baltimore CyberTrust Root > > > > Given that software may rely on OCSP responses for revocation checking > > (as opposed to CRLs or some other mechanism), I wanted to notify the > > Mozilla community of this inconsistent revocation information. > > > > Thanks, > > Corey > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://clicktime.symantec.com/3XCAvWmYdPvvFEe9DtH7i3T7Vc?u=https%3A%2 > > F%2Fli sts.mozilla.org%2Flistinfo%2Fdev-security-policy > > Hi Ben, > Yes, I confirmed that all listed certificates have OCSP AIA pointers. You > can use the crt.sh links and click "Check" in the Revocation table's OCSP > column to have crt.sh perform the OCSP check for you. > > For full disclosure, I found these certificates using Censys.io. > > Thanks, > Corey > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > > https://clicktime.symantec.com/3EBy6mM3kSWChPTFEoHeZpq7Vc?u=https%3A%2F%2Fli > sts.mozilla.org%2Flistinfo%2Fdev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy