← Apple Inc. cases
Bugzilla #1588001
Certificate Problem Report
Apple: OCSP responders return responses with incorrect issuer
RESOLVED
FIXED
Apple Inc.
AI Summary
Apple's OCSP responders were found to return signed responses with incorrect issuers, which was reported on October 3, 2019. An investigation revealed that when the OCSP service could not process a request, it defaulted to signing responses with a generic OCSP responder. Apple initiated a fix to ensure that responses are signed by the correct issuer and communicated the issue to relevant stakeholders, including root vendors. The fix was rolled out by October 18, 2019, and no non-compliant certificates were issued during the incident.
Chronology
- Problem report received regarding OCSP responses.
- Investigation began and fix rollout started.
- Fix for OCSP service completed.
Participants
certification_authority@apple.com
ryan.sleevi@gmail.com
External References
Similar Local Cases
Apple: OCSP availability 2020-11-12
Apple: EV Certificate Approver Authorization
Apple: OCSP responders return ‘unknown’ for valid S/MIME and TLS certificates
Apple: Public Key Reuse
Apple: Revocation Delay for TLS certificates issued outside the TTL of the CAA record
Apple: TLS certificates issued outside the TTL of the CAA record
Apple: CRLs for dormant CAs will not be populated in CCADB
DigiCert: Apple: Non-compliant Common Name Length