Re: Google OCSP service down

2018-02-25 Thread Ryan Hurst via dev-security-policy
t; -Original Message- > > From: dev-security-policy [mailto:dev-security-policy- > > bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of Ryan > > Hurst via dev-security-policy > > Sent: Wednesday, February 21, 2018 9:53 PM > > To: mozilla-dev-securi

RE: Google OCSP service down

2018-02-25 Thread Tim Hollebeek via dev-security-policy
On Behalf Of Ryan > Hurst via dev-security-policy > Sent: Wednesday, February 21, 2018 9:53 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Google OCSP service down > > I wanted to follow up with our findings and a summary of this issue for the > community. >

Re: Google OCSP service down

2018-02-21 Thread Paul Kehrer via dev-security-policy
Thank you for this comprehensive incident report Ryan. Your team's decision to improve the documentation around the right address for reporting is great to see! I wonder if it might also make sense to pull the contact information directly on https://pki.goog above the fold? -Paul (reaperhulk) On

Re: Google OCSP service down

2018-02-21 Thread Ryan Hurst via dev-security-policy
I wanted to follow up with our findings and a summary of this issue for the community. Bellow you will see a detail on what happened and how we resolved the issue, hopefully this will help explain what hapened and potentially others not encounter a similar issue. Summary --- January

Re: Google OCSP service down

2018-01-22 Thread Moudrick M. Dadashov via dev-security-policy
Hi Wayne, This is how its supposed to work under eIDAS: 1. Check the value of the QCStatement [1] of the certificate under problem (which is the location of PDS); 2. Open the PDS and check relevant contact info as in [2]. Thanks, M.D. [1] see 4.3.4 (QCStatement regarding location of PKI

Re: Google OCSP service down

2018-01-22 Thread Wayne Thayer via dev-security-policy
On Sun, Jan 21, 2018 at 2:14 PM, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > I think the whole CA incident reporting question has lots of room for > > improvement. And I think this should be considered in a way that people > > who are not familiar

Re: Google OCSP service down

2018-01-22 Thread Ryan Hurst via dev-security-policy
On Monday, January 22, 2018 at 1:26:01 AM UTC-8, ihave...@gmail.com wrote: > Hi, > > Just as an FYI, I am still getting 404. My geographic location is UAE if that > helps at all. > > My openssl command: > openssl ocsp -issuer gtsx1.pem -cert goodr1demopkigoog.crt -url >

Re: Google OCSP service down

2018-01-22 Thread ihavesmime--- via dev-security-policy
Hi, Just as an FYI, I am still getting 404. My geographic location is UAE if that helps at all. My openssl command: openssl ocsp -issuer gtsx1.pem -cert goodr1demopkigoog.crt -url http://ocsp.pki.goog/GTSGIAG3 -CAfile gtsrootr1.pem Error querying OCSP responder 77317:error:27075072:OCSP

Re: Google OCSP service down

2018-01-21 Thread Ryan Hurst via dev-security-policy
On Sunday, January 21, 2018 at 1:42:59 PM UTC-8, Ryan Hurst wrote: > On Sunday, January 21, 2018 at 1:29:58 PM UTC-8, s...@gmx.ch wrote: > > Hi > > > > Thanks for investigating. > > > > I can confirm that the service is now working again for me most of the > > time, but some queries still fail

Re: Google OCSP service down

2018-01-21 Thread Ryan Hurst via dev-security-policy
On Sunday, January 21, 2018 at 1:29:58 PM UTC-8, s...@gmx.ch wrote: > Hi > > Thanks for investigating. > > I can confirm that the service is now working again for me most of the > time, but some queries still fail (may be due load balancing in the > backend?). > Thank you for your report and

Re: Google OCSP service down

2018-01-21 Thread sjw--- via dev-security-policy
Hi Thanks for investigating. First of all, my previously curl command is not suitable to verify a OCSP status. It only works for OCSP stapling which is not supported by Google servers. You may use openssl ocsp instead: openssl ocsp -issuer [GoogleInternetAuthorityG2.crt] -cert [googlecom.crt]

Re: Google OCSP service down

2018-01-21 Thread Ryan Sleevi via dev-security-policy
On Sun, Jan 21, 2018 at 4:00 PM Hanno Böck via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi, > > On Sun, 21 Jan 2018 12:09:23 -0800 (PST) > Ryan Hurst via dev-security-policy > wrote: > > > We maintain contact details both within

Re: Google OCSP service down

2018-01-21 Thread Ryan Sleevi via dev-security-policy
On Sun, Jan 21, 2018 at 2:08 PM David E. Ross via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 1/21/2018 9:50 AM, Ryan Sleevi wrote: > > I couldn’t find that listed in the CP/CPS as where to report problems. > > Instead, I see a different email listed. > > > > What

Re: Google OCSP service down

2018-01-21 Thread Hanno Böck via dev-security-policy
Hi, On Sun, 21 Jan 2018 12:09:23 -0800 (PST) Ryan Hurst via dev-security-policy wrote: > We maintain contact details both within our CPS (like other CAs) and > at https://pki.goog so that people can reach us expeditiously. In the > future if anyone needs

Re: Google OCSP service down

2018-01-21 Thread Ryan Hurst via dev-security-policy
> > Is there a known contact to report it (or is someone with a Google hat > > reading this anyway)? > David, I am sorry you experienced difficulty in contacting us about this issue. We maintain contact details both within our CPS (like other CAs) and at https://pki.goog so that people can

Re: Google OCSP service down

2018-01-21 Thread Ryan Hurst via dev-security-policy
> > We are investigating the issue and will provide a update when that > investigation is complete. > > Thank you for letting us know. > > Ryan Hurst > Product Manager > Google I wanted to provide an update to the group. The issue has been identified and a roll out of the fix is in progress

Re: Google OCSP service down

2018-01-21 Thread David E. Ross via dev-security-policy
On 1/21/2018 9:50 AM, Ryan Sleevi wrote: > I couldn’t find that listed in the CP/CPS as where to report problems. > Instead, I see a different email listed. > > What made you decide to ignore the CP/CPS, which is where CAs list their > problem reporting mechanisms? > > Given that a CA’s CP/CPS

Re: Google OCSP service down

2018-01-21 Thread Ryan Sleevi via dev-security-policy
On Sun, Jan 21, 2018 at 11:12 AM David E. Ross via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 1/21/2018 7:47 AM, Paul Kehrer wrote: > > Is there a known contact to report it (or is someone with a Google hat > > reading this anyway)? > > On Friday (two days ago), I

Re: Google OCSP service down

2018-01-21 Thread Ryan Hurst via dev-security-policy
On Sunday, January 21, 2018 at 8:13:30 AM UTC-8, David E. Ross wrote: > On 1/21/2018 7:47 AM, Paul Kehrer wrote: > > Is there a known contact to report it (or is someone with a Google hat > > reading this anyway)? > > On Friday (two days ago), I reported this to dns-ad...@google.com, the > only

Re: Google OCSP service down

2018-01-21 Thread David E. Ross via dev-security-policy
On 1/21/2018 7:47 AM, Paul Kehrer wrote: > Is there a known contact to report it (or is someone with a Google hat > reading this anyway)? On Friday (two days ago), I reported this to dns-ad...@google.com, the only E-mail address in the WhoIs record for google.com. I received an automated reply

Google OCSP service down

2018-01-21 Thread sjw--- via dev-security-policy
Hi Google delivers the certificate [1] to me, for *.google.com, *.youtube.com and other major services. However, the OCSP service [2] does not work for me. I verified this from multiple locations, machines, OSes and versions of Firefox. Furthermore, I used SSL Labs [3] and the status on crt.sh