It was recently reported [1] that IdenTrust experienced a multi-day OCSP outage about two weeks ago. Other recent OCSP issues have resulted in incident reports [3][4], so I am concerned that IdenTrust didn't report this, and I created a bug [5] to ensure that we track the issue (assuming the report of an extended outage is accurate).
I also created an issue [6] suggesting that Mozilla clarify expectations for reporting CRL and OCSP outages. These services are notoriously unreliable and I doubt that a constant barrage of reports for brief outages would be manageable. I believe that Mozilla does expect CAs to report "significant" outages, but there is currently no guidance to help CAs determine when they should file a report. - Wayne [1] https://www.feistyduck.com/bulletproof-tls-newsletter/issue_64_gcc_code_analyzer_finds_bug_in_openssl [2] https://community.letsencrypt.org/t/identrust-ocsp-producing-errors/120677 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1622505 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1630040 [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1636544 [6] https://github.com/mozilla/pkipolicy/issues/214 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
