While a certain amount of latency in OCSP updates is expected when a certificate is first issued or revoked, KIR intended this to be a permanent "unknown" status for a revoked certificate. My conclusion from this discussion is that such a policy is not permitted, and the existing requirements are enough to make that clear.
I created another bug to track the issue with KIR's auditor, Ernst & Young Poland: https://bugzilla.mozilla.org/show_bug.cgi?id=1525082 KIR has commented in the original bug, and I have confirmed that the certificate is now revoked via OCSP as well as their CRL. On Sun, Feb 3, 2019 at 2:26 PM bif via dev-security-policy < [email protected]> wrote: > On Friday, February 1, 2019 at 11:38:40 PM UTC+1, Kurt Roeckx wrote: > > On Fri, Feb 01, 2019 at 03:02:17PM -0700, Wayne Thayer wrote: > > > It was pointed out to me that the OCSP status of the misissued > certificate > > > that is valid for over 5 years is still "unknown" despite having been > > > revoked a week ago.ntrol 6.8.12? [2] > > > > If you follow the RFC, the "unknown" answer can mean that it > > doesn't know, and that an other option like a CRL can be tried. > > With "unknown", it doesn't say anything about being valid or not. > > > > I don't think that interpretation is very useful. I think that the > > OCSP server should know about the certificate before the customer > > has the certificate. > > FWIW, with ACME and automated instant certificates this may be an > interesting challenge for big CAs. While you can design to try to achieve > this, there will always be a case of some update not getting through in > time, and some members of the high availability OCSP responders pool not > having 100% of issued certificates from the last minute (obviously the > longer the time from issuance, the sharply lower probability of such an > event should be, and after a day it is unwise to not have all answers). > > > > I think that if you have a properly signed > > certificate within it's validity period, the OCSP should always > > return either "good" or "revoked", never "unknown". Once a > > certificate is generated and it's not revoked it's valid. > > > > Would it be useful to have a requirement in the BRs that the OCSP > > server should not answer with "unknown" for an issued certificate > > within it's validity period? > > > > > > Kurt > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
