← Internet Security Research Group cases
Bugzilla #1684112
Technical Compliance
Let's Encrypt: Failure to audit log subscriber certificate OCSP updates
RESOLVED
FIXED
Internet Security Research Group
AI Summary
Let's Encrypt identified a compliance issue regarding the logging of OCSP updates for subscriber certificates. While initial certificate issuance was logged correctly, subsequent updates were not, violating baseline requirements. The issue was discovered during an internal audit, and although it affected all certificates issued from their Intermediate Certificate Authorities, issuance was not halted. Remediation steps included software updates to ensure proper logging, with a target completion date set for January 31, 2021. The necessary changes have since been deployed.
Chronology
- Internal audit detected non-compliance with OCSP update logging.
- Updated CA software with logging changes deployed.
- Bug closure planned as remediation was completed.
Participants
Andrew Gabbitas
Kris Chris
Ben Wilson
External References
Similar Local Cases
Firmaprofesional: 2022 - Title field
Entrust: CRLs and OCSP responses not issued as specified in the CPS
Firmaprofesional: 2023 - Ensure Timestamp service Logs Integrity
E-Tugra: Forbidden Domain Validation Method 3.2.2.4.6
Firmaprofesional: 2022 - Define Device Obsolescence Process
Turn off Secure Email Trust Bit for certSIGN ROOT CA G2 cert
Asseco DS / Certum: Forward dating certificates (notBefore in the future)
Telekom Security: Finding in 2020 ETSI-Audit regarding weekly review of changes to configurations