Re: OCSP Responder monitoring (was Re: Violations of Baseline Requirements 4.9.10)

2017-12-19 Thread Wayne Thayer via dev-security-policy
Thanks Rob! I went through the list and filed a bug for each CA if there wasn't one already open (with one exception that I'm still researching). All open OCSP issues are included in the list at https://wiki.mozilla.org/CA/Incident_Dashboard Wayne On Mon, Dec 11, 2017 at 10:49 PM, Rob Stradling

Re: OCSP Responder monitoring (was Re: Violations of Baseline Requirements 4.9.10)

2017-12-11 Thread Ryan Sleevi via dev-security-policy
No. It has been prohibited for years in the Baseline Requirements. With an expectation that CAs monitor such requests in light of DigiNotar On Mon, Dec 11, 2017 at 8:54 PM Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Rob Stradling via

Re: OCSP Responder monitoring (was Re: Violations of Baseline Requirements 4.9.10)

2017-12-11 Thread Peter Gutmann via dev-security-policy
Rob Stradling via dev-security-policy writes: >CAs / Responder URLs that are in scope for, but violate, the BR prohibition >on returning a signed a "Good" response for a random serial number Isn't that perfectly valid? Despite the misleading name,

OCSP Responder monitoring (was Re: Violations of Baseline Requirements 4.9.10)

2017-12-11 Thread Rob Stradling via dev-security-policy
Inspired by Paul Kehrer's research a few months ago, I've added a continuous OCSP Monitoring feature to crt.sh: https://crt.sh/ocsp-responders This page shows the latest results of 3 OCSP checks (performed hourly) against each CA / Responder URL that crt.sh has ever encountered: 1. a GET