Re: OCSP Responder monitoring (was Re: Violations of Baseline Requirements 4.9.10)

Thanks Rob! I went through the list and filed a bug for each CA if there wasn't one already open (with one exception that I'm still researching). All open OCSP issues are included in the list at https://wiki.mozilla.org/CA/Incident_Dashboard Wayne On Mon, Dec 11, 2017 at 10:49 PM, Rob Stradling

Re: OCSP Responder monitoring (was Re: Violations of Baseline Requirements 4.9.10)

No. It has been prohibited for years in the Baseline Requirements. With an expectation that CAs monitor such requests in light of DigiNotar On Mon, Dec 11, 2017 at 8:54 PM Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Rob Stradling via

Re: OCSP Responder monitoring (was Re: Violations of Baseline Requirements 4.9.10)

Rob Stradling via dev-security-policy writes: >CAs / Responder URLs that are in scope for, but violate, the BR prohibition >on returning a signed a "Good" response for a random serial number Isn't that perfectly valid? Despite the misleading name,

OCSP Responder monitoring (was Re: Violations of Baseline Requirements 4.9.10)

Inspired by Paul Kehrer's research a few months ago, I've added a continuous OCSP Monitoring feature to crt.sh: https://crt.sh/ocsp-responders This page shows the latest results of 3 OCSP checks (performed hourly) against each CA / Responder URL that crt.sh has ever encountered: 1. a GET

RE: Violations of Baseline Requirements 4.9.10

Hi Ben, DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação Electrónica do Estado, C=PT Downloading the issuer (https://crt.sh/?id=8949008) and then running: openssl ocsp -issuer 8949008.crt -serial 101010101010101101010101010 -no_nonce -url

RE: Violations of Baseline Requirements 4.9.10

Could someone re-check Multicert and SCEE? (See below.) They have indicated to us that they have now patched their OCSP responder systems. DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação Electrónica do Estado, C=PT Example cert: https://crt.sh/?id=12729446 OCSP

Re: Violations of Baseline Requirements 4.9.10

> AS Sertifitseerimiskeskuse (SK) > > CCADB does not list an email address. Not CC'd. > > DN: C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, > emailAddress=p...@sk.ee > Example cert: > https://crt.sh/?q=74d992d3910bcf7e34b8b5cd28f91eaeb4f41f3da6394d78b8c43672d43f4f0f >

RE: Violations of Baseline Requirements 4.9.10

@lists.mozilla.org] On Behalf Of Paul Kehrer via dev-security-policy Sent: Friday, September 8, 2017 6:19 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Violations of Baseline Requirements 4.9.10 On September 9, 2017 at 2:16:38 AM, Kathleen Wilson via dev-security-policy (dev-security-policy

Re: Violations of Baseline Requirements 4.9.10

On September 9, 2017 at 2:16:38 AM, Kathleen Wilson via dev-security-policy (dev-security-policy@lists.mozilla.org) wrote: Bugs filed… ~ Thanks, Kathleen Thank you very much Kathleen! If I receive additional responses I will update the bugs directly. -Paul

Re: Violations of Baseline Requirements 4.9.10

Bugs filed… > > AS Sertifitseerimiskeskuse (SK) > Bug #1398233 > > Autoridad de Certificacion Firmaprofesional > Bug #1398240 > > CA Disig a.s. (Fixed as of 2017-08-31) > Bug #1398242 > > certSIGN (partially resolved) > Bug #1398243 > > Consorci Administració Oberta de Catalunya

Re: Violations of Baseline Requirements 4.9.10

> On Sep 8, 2017, at 12:27, Kathleen Wilson via dev-security-policy > wrote: > >> I have updated the list again to note the additional responders fixed (in >> this update: CA Disig, PKIoverheid, Izenpe). To make this email slightly >> less enormous I've

Re: Violations of Baseline Requirements 4.9.10

I'm going to file the Bugzilla Bugs for each of these CAs, as follows. == Bug Summary: : Non-BR-Compliant OCSP Responders Bug Description: Problems have been found with OCSP responders for this CA, and reported in the mozilla.dev.security.policy forum here:

Re: Violations of Baseline Requirements 4.9.10

I have updated the list again to note the additional responders fixed (in this update: CA Disig, PKIoverheid, Izenpe). To make this email slightly less enormous I've also started removing everything but the CA's name when I have confirmed that all the reported responders are now properly

RE: Violations of Baseline Requirements 4.9.10

<mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Violations of Baseline Requirements 4.9.10 I've recently completed a scan of OCSP responders with a focus on checking whether they are compliant with BR section 4.9.10's requirement: "Effective 1 August 2013, OCSP responders fo

Re: Violations of Baseline Requirements 4.9.10

> Government of The Netherlands, PKIoverheid (Logius) > > DN: C=NL, O=KPN Corporate Market BV, CN=KPN Corporate Market CSP > Organisatie CA - G2 > Example cert: > https://crt.sh/?q=f821a600af00d2fa23f569e00fdf2379bc182920205a6b9b0276733cb2857c15 > OCSP URI: http://ocsp2.managedpki.com Dear

Re: Violations of Baseline Requirements 4.9.10

> Government of The Netherlands, PKIoverheid (Logius) > DN: C=NL, O=KPN Corporate Market BV, CN=KPN Corporate Market CSP > Organisatie CA - G2 > Example cert: > https://crt.sh/?q=f821a600af00d2fa23f569e00fdf2379bc182920205a6b9b0276733cb2857c15 > OCSP URI: http://ocsp2.managedpki.com Dear

RE: Violations of Baseline Requirements 4.9.10

-security-policy-bounces+h-kamo=secom.co...@lists.mozilla.org] On > Behalf Of Paul Kehrer > via dev-security-policy > Sent: Thursday, August 31, 2017 10:02 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Violations of Baseline Requirements 4.9.10 > >

Re: Violations of Baseline Requirements 4.9.10

Kurt, I think both the past experiences of m.d.s.policy with incidents that went undetected by auditors, and my own personal experience (not as part of the Web PKI) with professional audit firms is that they're not strong on the sort of technical requirements that we've seen here. If the rule

Re: Violations of Baseline Requirements 4.9.10

El miércoles, 30 de agosto de 2017, 10:58:34 (UTC+2), Paul Kehrer escribió: > Hi David, > > If you use the cert at https://crt.sh/?id=1616324 as issuer (the root > itself) and run this command: > > openssl ocsp -issuer 1616324.crt -serial 10101010101010111101001101 > -url

Re: Violations of Baseline Requirements 4.9.10

On 2017-08-29 14:47, Paul Kehrer wrote: I've recently completed a scan of OCSP responders with a focus on checking whether they are compliant with BR section 4.9.10's requirement: "Effective 1 August 2013, OCSP responders for CAs which are not Technically Constrained in line with Section 7.1.5

Re: Violations of Baseline Requirements 4.9.10

pol...@lists.mozilla.org> Subject: Violations of Baseline Requirements 4.9.10 I've recently completed a scan of OCSP responders with a focus on checking whether they are compliant with BR section 4.9.10's requirement: "Effective 1 August 2013, OCSP responders for CAs which are not Technically Constrai

Re: Violations of Baseline Requirements 4.9.10

I have updated the list below to try to capture all the information provided in this thread about which responders have been fixed (and verified using another random serial number), which ones have a date, and removed the ones that are actually under technical constraint that I missed. I have

RE: Violations of Baseline Requirements 4.9.10

if they are enabled for issuing. Regards Peter Miskovic From: Paul Kehrer [mailto:paul.l.keh...@gmail.com] Sent: Tuesday, August 29, 2017 2:48 PM To: mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Violations of Baseline Requirements

RE: Violations of Baseline Requirements 4.9.10

On August 30, 2017 at 4:53:54 AM, Ben Wilson via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote: This CA is technically constrained: DN: C=CH, L=Zurich, O=ABB, CN=ABB Issuing CA 6 Hi Ben, ABB Intermediate CA 3 (https://crt.sh/?id=7739892), which issued ABB Issuing CA

Re: Violations of Baseline Requirements 4.9.10

On Tuesday, August 29, 2017 at 9:41:07 AM UTC-4, Paul Kehrer wrote: > I've recently completed a scan of OCSP responders with a focus on checking > whether they are compliant with BR section 4.9.10's requirement: "Effective > 1 August 2013, OCSP responders for CAs which are not Technically >

FW: Violations of Baseline Requirements 4.9.10

and will be fixed until 15.09.2017. Kind regards, Cristian Garabet From: Paul Kehrer Sent: Tuesday, August 29, 2017 3:47:41 PM (UTC+02:00) Athens, Bucharest To: mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Violations of Ba

RE: Violations of Baseline Requirements 4.9.10

___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Violations of Baseline Requirements 4.9.10

Hi Paul, thank you for the clarification, I thought you were talking about subordinates. Regards, El miércoles, 30 de agosto de 2017, 10:58:34 (UTC+2), Paul Kehrer escribió: > Hi David, > > If you use the cert at https://crt.sh/?id=1616324 as issuer (the root > itself) and run this command: >

Re: Violations of Baseline Requirements 4.9.10

Hi David, If you use the cert at https://crt.sh/?id=1616324 as issuer (the root itself) and run this command: openssl ocsp -issuer 1616324.crt -serial 10101010101010111101001101 -url http://ocsp.izenpe.com -noverify You will get back This Update: Jun 22 11:06:43 2017 GMT Next Update: Jun

Re: Violations of Baseline Requirements 4.9.10

Hi Paul, can you provide what you posted, for example attaching the ocsp response. I mean if I query for a non-existant certificate, I get the following answer: openssl ocsp -no_cert_verify -no_signature_verify -issuer SSLEV_IZENPE.cer -serial 0x295990755083049101712519384020072382191 -url

RE: Violations of Baseline Requirements 4.9.10

...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Violations of Baseline Requirements 4.9.10 I've recently completed a scan of OCSP responders with a focus on checking whether they are compliant with BR section 4.9.10's requirement: "Effective 1 August 2013, OCSP

Re: Violations of Baseline Requirements 4.9.10

ISSP > > VP Compliance > > +1 801 701 9678 > > > > > > From: Paul Kehrer [mailto:paul.l.keh...@gmail.com] > Sent: Tuesday, August 29, 2017 6:48 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Violations of Baseline Requirements 4.9.10 > > &

Re: Violations of Baseline Requirements 4.9.10

On 2017-08-30 08:46, Adriano Santoni wrote: >>  - 2 are technically constrained sub-CAs ( https://crt.sh/?id=147626411 / https://crt.sh/?id=47081615 ) Those two are actually the same certificate; it's not clear to me why they appear twice on crt.sh I didn't look if all the name constrains

Re: Violations of Baseline Requirements 4.9.10

>>  - 2 are technically constrained sub-CAs ( https://crt.sh/?id=147626411 / https://crt.sh/?id=47081615 ) Those two are actually the same certificate; it's not clear to me why they appear twice on crt.sh Il 29/08/2017 18:50, Ryan Sleevi via dev-security-policy ha scritto: On Tue, Aug 29,

RE: Violations of Baseline Requirements 4.9.10

This CA is technically constrained: DN: C=CH, L=Zurich, O=ABB, CN=ABB Issuing CA 6 From: Paul Kehrer [mailto:paul.l.keh...@gmail.com] Sent: Tuesday, August 29, 2017 6:48 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Violations of Baseline Requirements 4.9.10 I've

Re: Violations of Baseline Requirements 4.9.10

> Government of The Netherlands, PKIoverheid (Logius) > > DN: C=NL, O=KPN Corporate Market BV, CN=KPN Corporate Market CSP > Organisatie CA - G2 > Example cert: > https://crt.sh/?q=f821a600af00d2fa23f569e00fdf2379bc182920205a6b9b0276733cb2857c15 > OCSP URI: http://ocsp2.managedpki.com Hi Paul,

Re: Violations of Baseline Requirements 4.9.10

On Tuesday, August 29, 2017 at 12:51:05 PM UTC-4, Ryan Sleevi wrote: > On Tue, Aug 29, 2017 at 8:47 AM, Paul Kehrer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > Symantec / GeoTrust > > > > CCADB does not list an email address. Not CC'd. > > > > DN: C=IT,

Re: Violations of Baseline Requirements 4.9.10

On Tue, Aug 29, 2017 at 8:47 AM, Paul Kehrer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Symantec / GeoTrust > > CCADB does not list an email address. Not CC'd. > > DN: C=IT, O=UniCredit S.p.A., CN=UniCredit Subordinate External > Example cert: >

RE: Violations of Baseline Requirements 4.9.10

29, 2017 6:48 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Violations of Baseline Requirements 4.9.10 I've recently completed a scan of OCSP responders with a focus on checking whether they are compliant with BR section 4.9.10's requirement: "Effective 1 August 2013,

RE: Violations of Baseline Requirements 4.9.10

of Baseline Requirements 4.9.10 I've recently completed a scan of OCSP responders with a focus on checking whether they are compliant with BR section 4.9.10's requirement: "Effective 1 August 2013, OCSP responders for CAs which are not Technically Constrained in line with Section 7.1.5 MUST NOT re

Violations of Baseline Requirements 4.9.10

I've recently completed a scan of OCSP responders with a focus on checking whether they are compliant with BR section 4.9.10's requirement: "Effective 1 August 2013, OCSP responders for CAs which are not Technically Constrained in line with Section 7.1.5 MUST NOT respond with a "GOOD" status for