Thanks for posting this Curt. We investigated and posted an incident report on Bugzilla. The root cause was related to pre-certs and an error in generating certificates for them. We're fixing the issue (should be done shortly). I figured it'd be good to document here why pre-certs fall under the requirement so there's no confusion for other CAs.
It can get confusing because the BRs section 7.1.2.7 a pre-cert is "not considered a certificate subject to the requirements of RFC 5280". The scope of the BRs is also questionable since it's still only applicable to "certificates intended to bused for authenticating servers" (BRs 1.1) . By virtue of the poison extension, precerts can never be applicable to authenticating servers. Initially, it's easy to think that pre-certs may not require OCSP or the same strict compliance I reviewed the CT log policy and, unless I missed something, the policy there is silent on pre-certs and OCSP. I think the requirement for pre-certs comes from two places. The requirements around revocation information originates from Mozilla policy 5.2 "CAs MUST NOT issue certificates that have:.... cRLDistributionPoints or OCSP authorityInfoAccess extensions for which no operational CRL or OCSP service exists." Then in Section 6 "For end-entity certificates, if the CA provides revocation information via an Online Certificate Status Protocol (OCSP) service:" What this means that a CA including a crl distribution point or OCSP service in the pre-cert must provide the OCPS/CRL service for the pre-cert, even if there's no possible way the pre-cert can be used by Mozilla on a server. The idea we had is simply drop the revocation information from the precert. Unfortunately, this doesn't work either because the pre-cert must be identical to the certificate plus the poison extension. This was probably obvious to anyone following CT over the years, but the discussion comes up every once in a while internally so I thought I'd document it externally so others can also chime in. Feel free to substitute SCT for pre-cert if you want to use correct terminology. Jeremy -----Original Message----- From: dev-security-policy <[email protected]> On Behalf Of Curt Spann via dev-security-policy Sent: Tuesday, August 27, 2019 2:05 PM To: [email protected] Subject: DigiCert OCSP services returns 1 byte Hello, I created the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
