Is our answer right though? I wasn't sure. I said "Good" because "a promise to issue a cert" could be considered the same issued. In that case the BRs say you must respond good. However, if "a promise to issue a certificate" is not the same as issuance, the BRs don't apply to the OCSP until the certificate issues and the correct response is "Revoked" per the RFC.
The BRs apply for sure to the contents, but do they apply to the OCSP responses in the time period between when the pre-cert is logged and the cert is signed. Seems like a nice simple rule is that the promise to issue is issuance regardless of what the BRs say and that you should respond good. This was our logic and why we decided on "Good". However, a very strict reading of the RFC and BR interaction means you need to respond "Revoked" until the cert issues. I don't like that outcome because it's complicated and leads to confusion. -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Jacob Hoffman-Andrews via dev-security-policy Sent: Thursday, August 29, 2019 5:37 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates Also filed at https://bugzilla.mozilla.org/show_bug.cgi?id=1577652 On 2019.08.28 we read Apple’s bug report at https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 about DigiCert’s OCSP responder returning incorrect results for a precertificate. This prompted us to run our own investigation. We found in an initial review that for 35 of our precertificates, we were serving incorrect OCSP results (“unauthorized” instead of “good”). Like DigiCert, this happened when a precertificate was issued, but the corresponding certificate was not issued due to an error. We’re taking these additional steps to ensure a robust fix: - For each precertificate issued according to our audit logs, verify that we are serving a corresponding OCSP response (if the precertificate is currently valid). - Configure alerting for the conditions that create this problem, so we can fix any instances that arise in the short term. - Deploy a code change to Boulder to ensure that we serve OCSP even if an error occurs after precertificate issuance. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy