Re: Google OCSP service down

2018-01-21 Thread Ryan Hurst via dev-security-policy
On Sunday, January 21, 2018 at 1:42:59 PM UTC-8, Ryan Hurst wrote: > On Sunday, January 21, 2018 at 1:29:58 PM UTC-8, s...@gmx.ch wrote: > > Hi > > > > Thanks for investigating. > > > > I can confirm that the service is now working again for me most of the > > time, but some queries still fail

Re: Google OCSP service down

2018-01-21 Thread Ryan Hurst via dev-security-policy
On Sunday, January 21, 2018 at 1:29:58 PM UTC-8, s...@gmx.ch wrote: > Hi > > Thanks for investigating. > > I can confirm that the service is now working again for me most of the > time, but some queries still fail (may be due load balancing in the > backend?). > Thank you for your report and

Re: Google OCSP service down

2018-01-21 Thread sjw--- via dev-security-policy
Hi Thanks for investigating. First of all, my previously curl command is not suitable to verify a OCSP status. It only works for OCSP stapling which is not supported by Google servers. You may use openssl ocsp instead: openssl ocsp -issuer [GoogleInternetAuthorityG2.crt] -cert [googlecom.crt]

Re: Google OCSP service down

2018-01-21 Thread Ryan Sleevi via dev-security-policy
On Sun, Jan 21, 2018 at 4:00 PM Hanno Böck via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi, > > On Sun, 21 Jan 2018 12:09:23 -0800 (PST) > Ryan Hurst via dev-security-policy > wrote: > > > We maintain contact details both within

Re: Google OCSP service down

2018-01-21 Thread Ryan Sleevi via dev-security-policy
On Sun, Jan 21, 2018 at 2:08 PM David E. Ross via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 1/21/2018 9:50 AM, Ryan Sleevi wrote: > > I couldn’t find that listed in the CP/CPS as where to report problems. > > Instead, I see a different email listed. > > > > What

Re: Google OCSP service down

2018-01-21 Thread Hanno Böck via dev-security-policy
Hi, On Sun, 21 Jan 2018 12:09:23 -0800 (PST) Ryan Hurst via dev-security-policy wrote: > We maintain contact details both within our CPS (like other CAs) and > at https://pki.goog so that people can reach us expeditiously. In the > future if anyone needs

Re: Google OCSP service down

2018-01-21 Thread Ryan Hurst via dev-security-policy
> > Is there a known contact to report it (or is someone with a Google hat > > reading this anyway)? > David, I am sorry you experienced difficulty in contacting us about this issue. We maintain contact details both within our CPS (like other CAs) and at https://pki.goog so that people can

Re: Google OCSP service down

2018-01-21 Thread Ryan Hurst via dev-security-policy
> > We are investigating the issue and will provide a update when that > investigation is complete. > > Thank you for letting us know. > > Ryan Hurst > Product Manager > Google I wanted to provide an update to the group. The issue has been identified and a roll out of the fix is in progress

Re: Google OCSP service down

2018-01-21 Thread David E. Ross via dev-security-policy
On 1/21/2018 9:50 AM, Ryan Sleevi wrote: > I couldn’t find that listed in the CP/CPS as where to report problems. > Instead, I see a different email listed. > > What made you decide to ignore the CP/CPS, which is where CAs list their > problem reporting mechanisms? > > Given that a CA’s CP/CPS

Re: Google OCSP service down

2018-01-21 Thread Ryan Sleevi via dev-security-policy
On Sun, Jan 21, 2018 at 11:12 AM David E. Ross via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 1/21/2018 7:47 AM, Paul Kehrer wrote: > > Is there a known contact to report it (or is someone with a Google hat > > reading this anyway)? > > On Friday (two days ago), I

Re: Google OCSP service down

2018-01-21 Thread Ryan Hurst via dev-security-policy
On Sunday, January 21, 2018 at 8:13:30 AM UTC-8, David E. Ross wrote: > On 1/21/2018 7:47 AM, Paul Kehrer wrote: > > Is there a known contact to report it (or is someone with a Google hat > > reading this anyway)? > > On Friday (two days ago), I reported this to dns-ad...@google.com, the > only

Re: Google OCSP service down

2018-01-21 Thread David E. Ross via dev-security-policy
On 1/21/2018 7:47 AM, Paul Kehrer wrote: > Is there a known contact to report it (or is someone with a Google hat > reading this anyway)? On Friday (two days ago), I reported this to dns-ad...@google.com, the only E-mail address in the WhoIs record for google.com. I received an automated reply

Google OCSP service down

2018-01-21 Thread sjw--- via dev-security-policy
Hi Google delivers the certificate [1] to me, for *.google.com, *.youtube.com and other major services. However, the OCSP service [2] does not work for me. I verified this from multiple locations, machines, OSes and versions of Firefox. Furthermore, I used SSL Labs [3] and the status on crt.sh