Re: Let's Encrypt: 302 total OCSP responses served beyond acceptable timelines
On Sat, Sep 26, 2020 at 9:09 PM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Let's Encrypt provides a community mutual assistance site (with > contributions from staff) on which a large volume of messages are > posted each day. > > https://community.letsencrypt.org/ > > Once the problem was identified did you check to see if any messages to > that site were likely related to this issue? I guess it's not very > likely with a small number of deviations. > We did not check the Let's Encrypt community site for reports about this issue. There's more detail in the linked Bugzilla issue: the nature of the bug was that it would only occur for certificates that never made it into users' hands, so no one would have seen OCSP errors. Additionally, the OCSP responses did not exceed their NotAfter date, so they would not have produced errors even if they were fetched by user agents. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Let's Encrypt: 302 total OCSP responses served beyond acceptable timelines
On Fri, 18 Sep 2020 16:48:45 -0700 Kiel Christofferson via dev-security-policy wrote: > We were notified of the problem by an alert on elevated error-level > logs. We found that the errors were caused by a recent change to our > RPC system that, in a certain error case, caused a particular column > in our certificate status table to have a value of "0" for a specific > empty field rather than either the expected value or NULL. We > collected serials and last-update timestamp information for affected > entries, and enacted a manual plan for continued remediation of these > entries. Hi Kiel, Thank you for reporting this small deviation from required behaviour. Let's Encrypt provides a community mutual assistance site (with contributions from staff) on which a large volume of messages are posted each day. https://community.letsencrypt.org/ Once the problem was identified did you check to see if any messages to that site were likely related to this issue? I guess it's not very likely with a small number of deviations. Nick. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy