← GlobalSign nv-sa cases
Bugzilla #1605372
Certificate Problem Report
GlobalSign: OCSP responders found to respond signed by the default CA when passed an invalid issuer in request
RESOLVED
FIXED
GlobalSign nv-sa
AI Summary
GlobalSign identified an issue where their OCSP responders were incorrectly responding with signatures from a default CA when presented with an invalid issuer. The problem was first reported by Microsoft after a security researcher raised concerns. GlobalSign implemented a workaround by disabling the default OCSP signer, ensuring that unauthorized responses were returned instead. All remediation steps were completed by January 2020, and no non-compliant certificates were issued during the incident.
Chronology
- Microsoft informed GlobalSign of the OCSP issue.
- Workaround implemented on first OCSP cluster.
- Workaround scheduled for completion on other clusters.
- All remediation steps confirmed complete.
Participants
Paul Brown
Wayne Thayer
Ryan Sleevi
Julio Montano
External References
Similar Local Cases
GlobalSign: Failure to revoke 2 noncompliant QWACs within 5 days
GlobalSign: Empty SingleExtension in OCSP responses
GlobalSign: Certificate issued with RSASSA-PSS public key
Microsoft PKI Services: Null Character Bug and Microsoft Root CAs
Microsoft DSRE PKI: problem reporting e-mail in CPS does not work
GlobalSign: Certificates with RSA keys where modulus is not divisible by 8
GlobalSign: IP in dnsName
GlobalSign: EV certificates with serialNumber Government Entity and businessCategory Private Organization