← Asseco Data Systems S.A. cases
Bugzilla #1639502
Certificate Problem Report
Asseco DS / Certum: Incorrect OCSP response encoding
RESOLVED
FIXED
Asseco Data Systems S.A.
AI Summary
The case involved an incorrect encoding of the OCSP response by Asseco Data Systems S.A. (Certum), which violated RFC6960 by encoding a default value in the ResponseData.version field. The issue was identified on May 20, 2020, leading to an investigation and subsequent fix implemented by May 21, 2020. Certum confirmed that they ceased issuing OCSP responses with the incorrect encoding and have since enhanced their testing procedures to prevent similar issues in the future. The case was resolved with the implementation of a new linting tool for OCSP services.
Chronology
- Bug created regarding incorrect OCSP response encoding.
- Certum confirmed the issue and implemented a fix.
- Certum ceased issuing OCSP responses with the incorrect encoding.
Participants
mpalmer@hezmatt.org
wtrapczynski@certum.pl
ryan.sleevi@gmail.com
bwilson@mozilla.com
External References
Similar Local Cases
SwissSign: failure to provide a preliminary report within 24 hours
Let's Encrypt: Failure to revoke key-compromised certificate within 24 hours
Sectigo: Failure to revoke key-compromised certificate within 24 hours
GoDaddy: Failure to revoke key-compromised certificates within 24 hours
Asseco DS / Certum: TLS EV certificates with incorrect Subject attribute order
SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information
SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value
iTrusChina: verification errors for the roots' CRLs(ARL)