[SSL Observatory] Malfunctioning OCSP responders

[Kai Engert]

On Do, 2014-02-13 at 10:31 -0800, Brian Smith wrote: 
> > I say go ahead, this is after all about observations.
> > 
> > FWIW, I have a list of CAs here that send some weird replies and I can
> > show their OCSPs have lapses from time to time...
> 
> If you share some more information about this, either on this list or
> privately, I will bring it up next week at the CA/Browser Forum
> meeting. I am very interested in this particular problem and data &
> measurements would be extremely helpful.

The CA has fixed the issue in the meantime, after I had reported it to
them, and I confirmed its fixed.

Because of a bug their software wasn't able to provide the real status
for the certificate, instead it had sent out an error response (status
unauthorized).

On my side, because I had configured Firefox to strictly require good
OCSP responses, I was presented a "certificate revoked" error message.

Although the CA's OCSP responder didn't send the right status, at least
it used the safe default, which I appreciate.

Indepdently of this specific CA, this event could be seen as a general
reminder that OCSP responders can have bugs, or return incorrect status
for other reasons. I got a false negative, which is safe. But I'm
worried software bugs in OCSP responders could also result in false
positives.

I think CAs should ideally monitor their own servers for bugs, but maybe
we cannot rely on that? Maybe it motivates CAs if they we're watching
them?

How about regularly probing OCSP responders of the global CAs for
correctness? It could fetch CRLs, and each day select a random set of
certificates, both revoked and unrevoked, and query the OCSP responders
for the expected results.

Is this something the Observatory would be motivated to implement?

Regards
Kai