On Thursday, August 29, 2019 at 4:37:04 PM UTC-7, Jacob Hoffman-Andrews wrote: > Also filed at https://bugzilla.mozilla.org/show_bug.cgi?id=1577652 > > On 2019.08.28 we read Apple’s bug report at > https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 about DigiCert’s OCSP > responder returning incorrect results for a precertificate. This prompted us > to run our own investigation. We found in an initial review that for 35 of > our precertificates, we were serving incorrect OCSP results (“unauthorized” > instead of “good”). Like DigiCert, this happened when a precertificate was > issued, but the corresponding certificate was not issued due to an error. > > We’re taking these additional steps to ensure a robust fix: > - For each precertificate issued according to our audit logs, verify that > we are serving a corresponding OCSP response (if the precertificate is > currently valid). > - Configure alerting for the conditions that create this problem, so we can > fix any instances that arise in the short term. > - Deploy a code change to Boulder to ensure that we serve OCSP even if an > error occurs after precertificate issuance.
Out of curiosity, what software is checking OCSP for a pre-cert and why? Why does any software need the OCSP status of a pre-cert when it doesn't have the corresponding final cert? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy