info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: FOITT does no longer support OCSP
61 views
Skip to first unread message
Richard Barnes
Feb 6, 2015, 10:01:01 AM2/6/15
to s...@gmx.ch, dev-secur...@lists.mozilla.org
Does the FOITT cert chain up to one of the roots in the Mozilla program?
https://wiki.mozilla.org/CA:IncludedCAs
I only see 3 Swisscom roots and 3 SwissSign roots, nothing that is
obviously Swiss government.
On Thu, Feb 5, 2015 at 6:33 PM, <s...@gmx.ch> wrote:
> Hi all
>
> A few weeks ago, I got some mails about a broken iframe. The secure
> connection to the remote server failed (OCSP error). The site was signed
> by Swiss Government SSL CA 01. I contacted the technical support and
> they told me, that the Federal Office of Information Technology, Systems
> and Telecommunication (FOITT) of Switzerland shut down their OCSP
> servers! So all secure Swiss gov sites are broken if you requires OCSP.
> I contacted them directly and tried to explain why the OCSP service is a
> requirement for a CA, but they do not react.
>
> Maybe someone of the Mozilla security team could contact them again.
>
> Regards,
> Jonas
>
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
https://wiki.mozilla.org/CA:IncludedCAs
I only see 3 Swisscom roots and 3 SwissSign roots, nothing that is
obviously Swiss government.
On Thu, Feb 5, 2015 at 6:33 PM, <s...@gmx.ch> wrote:
> Hi all
>
> A few weeks ago, I got some mails about a broken iframe. The secure
> connection to the remote server failed (OCSP error). The site was signed
> by Swiss Government SSL CA 01. I contacted the technical support and
> they told me, that the Federal Office of Information Technology, Systems
> and Telecommunication (FOITT) of Switzerland shut down their OCSP
> servers! So all secure Swiss gov sites are broken if you requires OCSP.
> I contacted them directly and tried to explain why the OCSP service is a
> requirement for a CA, but they do not react.
>
> Maybe someone of the Mozilla security team could contact them again.
>
> Regards,
> Jonas
>
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
Rob Stradling
Feb 6, 2015, 10:32:38 AM2/6/15
to Richard Barnes, s...@gmx.ch, dev-secur...@lists.mozilla.org
On 06/02/15 15:00, Richard Barnes wrote:
> Does the FOITT cert chain up to one of the roots in the Mozilla program?
>
> https://wiki.mozilla.org/CA:IncludedCAs
>
> I only see 3 Swisscom roots and 3 SwissSign roots, nothing that is
> obviously Swiss government.
This intermediate CA cert for "Swiss Government SSL CA 01" was issued by
> Does the FOITT cert chain up to one of the roots in the Mozilla program?
>
> https://wiki.mozilla.org/CA:IncludedCAs
>
> I only see 3 Swisscom roots and 3 SwissSign roots, nothing that is
> obviously Swiss government.
the "Baltimore CyberTrust Root" built-in root.
-----BEGIN CERTIFICATE-----
MIIGKDCCBRCgAwIBAgIEBye2CTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE0MDkxMDE4NTAzNloX
DTE3MDkxMDE4NTAxMVowgYgxCzAJBgNVBAYTAkNIMR0wGwYDVQQKExRTd2lzcyBH
b3Zlcm5tZW50IFBLSTERMA8GA1UECxMIU2VydmljZXMxIjAgBgNVBAsTGUNlcnRp
ZmljYXRpb24gQXV0aG9yaXRpZXMxIzAhBgNVBAMTGlN3aXNzIEdvdmVybm1lbnQg
U1NMIENBIDAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA379210+W
I6Wl63BOe93KXb9T6mw4frXZBPgN6iKcVp4KGTOHLtCfztUrFJWWhNaapDoYcZKJ
F4vNwQsYFIPZDdYhNeaubsOsoKznei3+1PBLpNyAVTbQ2SgEZcDuVYkpoSUzu+cT
sZ/gAKYf3K1JacCdeEYRv55FXLJ991lTvKHLNNr4+IEZuOwMCqjdMKg/JF2Lh+nm
AoT2YoUFBJHYWNMyTUZZ4pZVB8PZPCeM76FJHf+zG+kQ2gQhDaEyMFqjuH7URRkj
nnV6GvenzOO7uIPiigKf9Ccpt05gnuezPKGtOwzJhpjTqOfxuVSH5HhDzDGPcrce
rfwtHRW6Rnq0ix1kHUAmC6tB6fhKwCOOnSZ04YmaKwtMsGMsEIoaZ6+h7VlllKJ/
OpVGGmTEdPzaEuJnCPUq0BuVOPWHtSyr6UcrTw4p8C+yjbE8Y99b9VkxdGGPU3vs
8ZSObJjEILcR3NnQhK4/V9bP6v9CVqh933W/Q7LdN6vjWr6VdwqYUn1q7USqIp2W
p+Q7KFg1VHh0JJTAirI9PSmsVmiWv4MXdBKFmd2PaT3w/HBEDTM5Fg8w6T0IPd26
ApQ+Yg+EAkC+GfH0JNcVR3LdnVgm/IncnNJPrq7gteN1FJ+lxsbeN0947nDpoasf
qjCUZVNcbzjeIfJEuBxZ6tCwJnrQF6Xi55UCAwEAAaOCAcUwggHBMBIGA1UdEwEB
/wQIMAYBAf8CAQAwgakGA1UdIASBoTCBnjBIBgkrBgEEAbE+AQAwOzA5BggrBgEF
BQcCARYtaHR0cDovL2N5YmVydHJ1c3Qub21uaXJvb3QuY29tL3JlcG9zaXRvcnku
Y2ZtMFIGCGCFdAERAxUCMEYwRAYIKwYBBQUHAgEWOGh0dHA6Ly93d3cucGtpLmFk
bWluLmNoL2Nwcy9DUFNfMl8xNl83NTZfMV8xN18zXzIxXzEucGRmMEIGCCsGAQUF
BwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Aub21uaXJvb3QuY29tL2Jh
bHRpbW9yZXJvb3QwDgYDVR0PAQH/BAQDAgEGMCcGA1UdJQQgMB4GCCsGAQUFBwMB
BggrBgEFBQcDAgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU5Z1ZMIJHWMys+ghUNoZ7
OrUETfAwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NkcDEucHVibGljLXRydXN0
LmNvbS9DUkwvT21uaXJvb3QyMDI1LmNybDAdBgNVHQ4EFgQU/DVeWB34UuAr6Kyr
uYKtFRHW5s0wDQYJKoZIhvcNAQELBQADggEBAJwbVrtGL68v2T0QhiuIKpFvNCpi
2VpmyUwHY1IiIKxckiX9NoQdvSqwG9SePR3Fet9LC6d0SAnkXKTwnjP7hxTMdmMt
+TK/UnJWBBQCfMjwFRs0oAEFwyxSr04R2ZWIV/8DlTSQ3hxH2LPlgJjVosQfvdSG
nqYK0KY3c7vMRC7QbtAIrmxY4CTqtBHiPQy/CV6zdcCYxgsKl3iPxPQAHEMIG8DY
CaMW+JsRUTtdPIaXIa559nmHbG2xw/tm7Ku4ieKsd9RNkDIbE5DEi/clf1Xn8bW4
AiV4lLjW7oN6i5m4QrGeFtWIXZXBFiurMtplyoJ/wmNw70ArcqxbOc174n0=
-----END CERTIFICATE-----
> On Thu, Feb 5, 2015 at 6:33 PM, <s...@gmx.ch> wrote:
>
>> Hi all
>>
>> A few weeks ago, I got some mails about a broken iframe. The secure
>> connection to the remote server failed (OCSP error). The site was signed
>> by Swiss Government SSL CA 01. I contacted the technical support and
>> they told me, that the Federal Office of Information Technology, Systems
>> and Telecommunication (FOITT) of Switzerland shut down their OCSP
>> servers! So all secure Swiss gov sites are broken if you requires OCSP.
>> I contacted them directly and tried to explain why the OCSP service is a
>> requirement for a CA, but they do not react.
>>
>> Maybe someone of the Mozilla security team could contact them again.
>>
>> Regards,
>> Jonas
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Jürgen Brauckmann
Feb 6, 2015, 10:45:45 AM2/6/15
to dev-secur...@lists.mozilla.org
One affected host: https://www.bit.admin.ch
It's cert contains an OCSP-AIA "http://www.pki.admin.ch/aia/ocsp", which
currently gives an HTTP 503.
Juergen
Rob Stradling schrieb:
It's cert contains an OCSP-AIA "http://www.pki.admin.ch/aia/ocsp", which
currently gives an HTTP 503.
Juergen
Rob Stradling schrieb:
s...@gmx.ch
Feb 8, 2015, 9:26:39 AM2/8/15
to Medin, Steven, Rob Stradling, Richard Barnes, dev-secur...@lists.mozilla.org
Thank you!
Please inform me if you were successful.
Regards,
Jonas
Am 06.02.2015 um 16:43 schrieb Medin, Steven:
> I will contact the Swiss BIT and discuss.
>
> Kind regards,
> Steven Medin
> Product Manager, Identity and Access Management
> Verizon Enterprise Solutions
Please inform me if you were successful.
Regards,
Jonas
Am 06.02.2015 um 16:43 schrieb Medin, Steven:
> I will contact the Swiss BIT and discuss.
>
> Kind regards,
> Steven Medin
> Product Manager, Identity and Access Management
> Verizon Enterprise Solutions
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
>
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
>
0 new messages