Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Incorrect OCSP status for revoked intermediates

236 views
Skip to first unread message

Corey Bonnell

unread,
Jan 27, 2019, 10:50:35 AM1/27/19
to mozilla-dev-s...@lists.mozilla.org
Hello,
I discovered that the following Baltimore CyberTrust Root-chained intermediates are disclosed in CCADB and are revoked via CRL, but the OCSP responder is returning "good":

DigiCert
crt.sh URL(s),notBefore,notAfter,subject CN,issuer CN
https://crt.sh/?id=3528065 ,2014-02-12,2021-02-12,Bechtel External Policy CA 1,Baltimore CyberTrust Root
https://crt.sh/?id=91478106 ,2014-04-16,2024-04-16,Dell Inc. Enterprise CA,Baltimore CyberTrust Root
https://crt.sh/?id=12625621 ,2014-04-16,2024-04-16,Dell Inc. Enterprise CA,Baltimore CyberTrust Root
https://crt.sh/?id=91478107 ,2014-04-16,2024-04-16,Dell Inc. Enterprise CA,Baltimore CyberTrust Root
https://crt.sh/?id=12620974 ,2014-09-10,2024-09-10,Dell Inc. Enterprise CA,Baltimore CyberTrust Root
https://crt.sh/?id=6906659 ,2015-03-03,2022-03-03,ABB Intermediate CA 3,Baltimore CyberTrust Root
https://crt.sh/?id=6976985 ,2015-03-18,2022-03-18,Bechtel External Policy CA 1,Baltimore CyberTrust Root
https://crt.sh/?id=35335507 ,2015-05-21,2022-05-21,ABB Intermediate CA 3,Baltimore CyberTrust Root
https://crt.sh/?id=78292184 ,2016-11-30,2020-11-30,Eurida Primary CA,Baltimore CyberTrust Root

Given that software may rely on OCSP responses for revocation checking (as opposed to CRLs or some other mechanism), I wanted to notify the Mozilla community of this inconsistent revocation information.

Thanks,
Corey

Ben Wilson

unread,
Jan 27, 2019, 4:09:44 PM1/27/19
to Corey Bonnell, mozilla-dev-s...@lists.mozilla.org
I'll look into this immediate, but have you checked to see whether these
certificates have OCSP AIAs in them? Or did you find these by searching our
CRLs.

-----Original Message-----
From: dev-security-policy <dev-security-...@lists.mozilla.org> On
Behalf Of Corey Bonnell via dev-security-policy
Sent: Sunday, January 27, 2019 8:50 AM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Incorrect OCSP status for revoked intermediates

Hello,
I discovered that the following Baltimore CyberTrust Root-chained
intermediates are disclosed in CCADB and are revoked via CRL, but the OCSP
responder is returning "good":

DigiCert
crt.sh URL(s),notBefore,notAfter,subject CN,issuer CN
https://clicktime.symantec.com/3GqSUWeMsiuccdDg8FV74mK7Vc?u=https%3A%2F%2Fcr
t.sh%2F%3Fid%3D3528065 ,2014-02-12,2021-02-12,Bechtel External Policy CA
1,Baltimore CyberTrust Root
https://clicktime.symantec.com/3QitWkthhibn6J3dyv2WjMK7Vc?u=https%3A%2F%2Fcr
t.sh%2F%3Fid%3D91478106 ,2014-04-16,2024-04-16,Dell Inc. Enterprise
CA,Baltimore CyberTrust Root
https://clicktime.symantec.com/3GDackCrAv2JK3LE1ejLmCb7Vc?u=https%3A%2F%2Fcr
t.sh%2F%3Fid%3D12625621 ,2014-04-16,2024-04-16,Dell Inc. Enterprise
CA,Baltimore CyberTrust Root
https://clicktime.symantec.com/3CPUS2fftSKXmYYJpwrxa997Vc?u=https%3A%2F%2Fcr
t.sh%2F%3Fid%3D91478107 ,2014-04-16,2024-04-16,Dell Inc. Enterprise
CA,Baltimore CyberTrust Root
https://clicktime.symantec.com/34vSegkxwLnEhzzA2c8n23e7Vc?u=https%3A%2F%2Fcr
t.sh%2F%3Fid%3D12620974 ,2014-09-10,2024-09-10,Dell Inc. Enterprise
CA,Baltimore CyberTrust Root
https://clicktime.symantec.com/32GsGFkYLsck8uJmXJc9Ky17Vc?u=https%3A%2F%2Fcr
t.sh%2F%3Fid%3D6906659 ,2015-03-03,2022-03-03,ABB Intermediate CA
3,Baltimore CyberTrust Root
https://clicktime.symantec.com/3Gbhskg8uybb9uykbTxfo1h7Vc?u=https%3A%2F%2Fcr
t.sh%2F%3Fid%3D6976985 ,2015-03-18,2022-03-18,Bechtel External Policy CA
1,Baltimore CyberTrust Root
https://clicktime.symantec.com/3QaVKssB27cqRnuH6nnqUrX7Vc?u=https%3A%2F%2Fcr
t.sh%2F%3Fid%3D35335507 ,2015-05-21,2022-05-21,ABB Intermediate CA
3,Baltimore CyberTrust Root
https://clicktime.symantec.com/3TjvAB1yvCCo15dr1ecGvbd7Vc?u=https%3A%2F%2Fcr
t.sh%2F%3Fid%3D78292184 ,2016-11-30,2020-11-30,Eurida Primary CA,Baltimore
CyberTrust Root

Given that software may rely on OCSP responses for revocation checking (as
opposed to CRLs or some other mechanism), I wanted to notify the Mozilla
community of this inconsistent revocation information.

Thanks,
Corey
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://clicktime.symantec.com/3XCAvWmYdPvvFEe9DtH7i3T7Vc?u=https%3A%2F%2Fli
sts.mozilla.org%2Flistinfo%2Fdev-security-policy

Corey Bonnell

unread,
Jan 27, 2019, 4:21:20 PM1/27/19
to mozilla-dev-s...@lists.mozilla.org
Hi Ben,
Yes, I confirmed that all listed certificates have OCSP AIA pointers. You can use the crt.sh links and click "Check" in the Revocation table's OCSP column to have crt.sh perform the OCSP check for you.

For full disclosure, I found these certificates using Censys.io.

Thanks,
Corey

Ben Wilson

unread,
Jan 27, 2019, 4:22:58 PM1/27/19
to Corey Bonnell, mozilla-dev-s...@lists.mozilla.org
Thanks, Corey. As I said, we'll try to get this resolved as soon as
possible and file an incident report.

-----Original Message-----
From: dev-security-policy <dev-security-...@lists.mozilla.org> On
Behalf Of Corey Bonnell via dev-security-policy
Sent: Sunday, January 27, 2019 2:21 PM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Incorrect OCSP status for revoked intermediates

On Sunday, January 27, 2019 at 4:09:44 PM UTC-5, Ben Wilson wrote:
> F%2Fli sts.mozilla.org%2Flistinfo%2Fdev-security-policy

Hi Ben,
Yes, I confirmed that all listed certificates have OCSP AIA pointers. You
can use the crt.sh links and click "Check" in the Revocation table's OCSP
column to have crt.sh perform the OCSP check for you.

For full disclosure, I found these certificates using Censys.io.

Thanks,
Corey
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://clicktime.symantec.com/3EBy6mM3kSWChPTFEoHeZpq7Vc?u=https%3A%2F%2Fli
sts.mozilla.org%2Flistinfo%2Fdev-security-policy

Ben Wilson

unread,
Jan 27, 2019, 7:48:29 PM1/27/19
to Corey Bonnell, mozilla-dev-s...@lists.mozilla.org
We believe this issue has been fixed.
________________________________
From: Ben Wilson
Sent: Sunday, January 27, 2019 2:22:45 PM
To: Corey Bonnell; mozilla-dev-s...@lists.mozilla.org
Subject: RE: Incorrect OCSP status for revoked intermediates

Thanks, Corey. As I said, we'll try to get this resolved as soon as
possible and file an incident report.

-----Original Message-----
From: dev-security-policy <dev-security-...@lists.mozilla.org> On
Behalf Of Corey Bonnell via dev-security-policy
Sent: Sunday, January 27, 2019 2:21 PM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Incorrect OCSP status for revoked intermediates

On Sunday, January 27, 2019 at 4:09:44 PM UTC-5, Ben Wilson wrote:
> https://clicktime.symantec.com/3XCAvWmYdPvvFEe9DtH7i3T7Vc?u=https%3A%2
> F%2Fli sts.mozilla.org%2Flistinfo%2Fdev-security-policy

Hi Ben,
Yes, I confirmed that all listed certificates have OCSP AIA pointers. You
can use the crt.sh links and click "Check" in the Revocation table's OCSP
column to have crt.sh perform the OCSP check for you.

For full disclosure, I found these certificates using Censys.io.

Thanks,
Corey
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://clicktime.symantec.com/3EBy6mM3kSWChPTFEoHeZpq7Vc?u=https%3A%2F%2Fli
sts.mozilla.org%2Flistinfo%2Fdev-security-policy

Wayne Thayer

unread,
Jan 29, 2019, 11:49:58 AM1/29/19
to Ben Wilson, Corey Bonnell, mozilla-dev-s...@lists.mozilla.org
Thanks Corey and Ben. This issue does appear to have been resolved. I've
created a bug requesting an incident report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1523676

- Wayne

On Sun, Jan 27, 2019 at 5:48 PM Ben Wilson via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> We believe this issue has been fixed.
> ________________________________
> From: Ben Wilson
> Sent: Sunday, January 27, 2019 2:22:45 PM
> To: Corey Bonnell; mozilla-dev-s...@lists.mozilla.org
> Subject: RE: Incorrect OCSP status for revoked intermediates
>
> Thanks, Corey. As I said, we'll try to get this resolved as soon as
> possible and file an incident report.
>
> -----Original Message-----
> From: dev-security-policy <dev-security-...@lists.mozilla.org>
> On
> Behalf Of Corey Bonnell via dev-security-policy
> Sent: Sunday, January 27, 2019 2:21 PM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Incorrect OCSP status for revoked intermediates
>
> On Sunday, January 27, 2019 at 4:09:44 PM UTC-5, Ben Wilson wrote:
> > https://clicktime.symantec.com/3XCAvWmYdPvvFEe9DtH7i3T7Vc?u=https%3A%2
> > F%2Fli sts.mozilla.org%2Flistinfo%2Fdev-security-policy
>
> Hi Ben,
> Yes, I confirmed that all listed certificates have OCSP AIA pointers. You
> can use the crt.sh links and click "Check" in the Revocation table's OCSP
> column to have crt.sh perform the OCSP check for you.
>
> For full disclosure, I found these certificates using Censys.io.
>
> Thanks,
> Corey
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
>
> https://clicktime.symantec.com/3EBy6mM3kSWChPTFEoHeZpq7Vc?u=https%3A%2F%2Fli
> sts.mozilla.org%2Flistinfo%2Fdev-security-policy
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
0 new messages