Re: Violations of Baseline Requirements 4.9.10
El miércoles, 30 de agosto de 2017, 10:58:34 (UTC+2), Paul Kehrer escribió: > Hi David, > > If you use the cert at https://crt.sh/?id=1616324 as issuer (the root > itself) and run this command: > > openssl ocsp -issuer 1616324.crt -serial 10101010101010111101001101 > -url http://ocsp.izenpe.com -noverify > > You will get back > > This Update: Jun 22 11:06:43 2017 GMT > Next Update: Jun 22 11:06:43 2018 GMT > > Of course, no serverAuth certificates should be issued directly off the > root, but the root is still enabled for that purpose so the responder > should respond UNAUTHORIZED here (UNAUTHORIZED instead of UNKNOWN to allow > the root to stay offline). > > On August 30, 2017 at 4:42:10 PM, David Fernandez via dev-security-policy ( > dev-security-policy@lists.mozilla.org) wrote: > > Hi Paul, > can you provide what you posted, for example attaching the ocsp response. I > mean if I query for a non-existant certificate, I get the following answer: > > openssl ocsp -no_cert_verify -no_signature_verify -issuer SSLEV_IZENPE.cer > -serial 0x295990755083049101712519384020072382191 -url > http://ocsp.izenpe.com > > Response verify OK > 0x295990755083049101712519384020072382191: revoked > This Update: Aug 30 08:36:05 2017 GMT > Next Update: Sep 1 08:36:05 2017 GMT > Reason: certificateHold > Revocation Time: Jan 1 00:00:00 1970 GMT > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy Hi Paul, We have been looking for the same problem in all our IZENPE's Subordinate CAs, and found that the problem was only affecting to our Root. After performing the changes to fix the problem and validations in our Development system, we have fix the problem in our production enviroment a couple of hours ago. Thank you for warning all of us. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Violations of Baseline Requirements 4.9.10
Hi Paul, thank you for the clarification, I thought you were talking about subordinates. Regards, El miércoles, 30 de agosto de 2017, 10:58:34 (UTC+2), Paul Kehrer escribió: > Hi David, > > If you use the cert at https://crt.sh/?id=1616324 as issuer (the root > itself) and run this command: > > openssl ocsp -issuer 1616324.crt -serial 10101010101010111101001101 > -url http://ocsp.izenpe.com -noverify > > You will get back > > This Update: Jun 22 11:06:43 2017 GMT > Next Update: Jun 22 11:06:43 2018 GMT > > Of course, no serverAuth certificates should be issued directly off the > root, but the root is still enabled for that purpose so the responder > should respond UNAUTHORIZED here (UNAUTHORIZED instead of UNKNOWN to allow > the root to stay offline). > > On August 30, 2017 at 4:42:10 PM, David Fernandez via dev-security-policy ( > dev-security-policy@lists.mozilla.org) wrote: > > Hi Paul, > can you provide what you posted, for example attaching the ocsp response. I > mean if I query for a non-existant certificate, I get the following answer: > > openssl ocsp -no_cert_verify -no_signature_verify -issuer SSLEV_IZENPE.cer > -serial 0x295990755083049101712519384020072382191 -url > http://ocsp.izenpe.com > > Response verify OK > 0x295990755083049101712519384020072382191: revoked > This Update: Aug 30 08:36:05 2017 GMT > Next Update: Sep 1 08:36:05 2017 GMT > Reason: certificateHold > Revocation Time: Jan 1 00:00:00 1970 GMT > ___ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Violations of Baseline Requirements 4.9.10
Hi Paul, can you provide what you posted, for example attaching the ocsp response. I mean if I query for a non-existant certificate, I get the following answer: openssl ocsp -no_cert_verify -no_signature_verify -issuer SSLEV_IZENPE.cer -serial 0x295990755083049101712519384020072382191 -url http://ocsp.izenpe.com Response verify OK 0x295990755083049101712519384020072382191: revoked This Update: Aug 30 08:36:05 2017 GMT Next Update: Sep 1 08:36:05 2017 GMT Reason: certificateHold Revocation Time: Jan 1 00:00:00 1970 GMT ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy