View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000470410000-004: ServicesSpecpublic2019-03-29 14:412023-03-21 19:57
ReporterPaul Hunkar Assigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Summary0004704: Certificate validation Steps - revocation lists
Description

in Table 106 - Find revocation list row - does not provided for a Bad_SecurityChecksFailed return. While running the new extended CTT certificate testing, we have had a vendor complain about the expect return code (see related mantis issue). for Revoked certificate Bad_SecurityChecksFailed is expected. An attacker could gain more information about a system, by blocking access to revocation lists if the more detailed error codes are returned.

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0004703 resolvedSebastian Allmendinger CTT UA Scripts inconsistency Security Certificate Validation/002.js vs. 042.js/043.js 
related to 0002822 closedMatthias Damm 10000-004: Services A revoked certificate should be treated like an untrusted certificate 

Activities

Paul Hunkar

2019-03-29 15:12

developer   ~0010079

in addition the last sentence in the first paragraph above the table indicates that if the application instance certificate is trusted then the certificate chains are not processed. This should be further explained [if a certificate is trusted i.e. in a trust list, but it is revoked by a CA what would happen - since the application instance certificate is explicitly trusted]

Bernd Edlinger

2019-04-06 11:50

reporter   ~0010142

This is related to 2822, because when the revocation list is unavailable but required for path validation
the certificate might be revoked and returning BadCertificateRevocationUnknown / BadCerifitcateIssuerRevocationUnknown
should only be done after successful path Validation (and only when the certificate is trusted).
As far as I remember our discusson around the BadCertificateRevoked vs BadCertificateIssuerRevoked
was that there is obviously a need for an exception for BadCertificateTimeInvalid, because this can happen when clocks
are not synchronized, or when certificates expire unexpectedly, and administrator action like set the system clock or
enable the DisableCertitficateTimeInvalid override need to be taken without unnecessary delays for trouble shooting.

Matthias Damm

2020-03-04 22:01

developer   ~0011669

Table 106 – Certificate validation steps
Added to description for Find Revocation List:
Bad_SecurityChecksFailed should be reported back to the Client.

Jim Luth

2020-03-04 22:01

administrator   ~0011670

Agreed to changes made in Dallas meeting.

Paul Hunkar

2022-11-02 17:11

developer   ~0018091

This issue should have an errata back to 1.04 or even 1.03 (raised from CMP group)

Matthias Damm

2023-03-20 05:00

developer   ~0018903

Added errata for 1.04 and 1.03

Jim Luth

2023-03-21 19:57

administrator   ~0018946

Agreed to 1.03 and 1.04 Errata in Dallas meeting.

Issue History

Date Modified Username Field Change
2019-03-29 14:41 Paul Hunkar New Issue
2019-03-29 14:43 Paul Hunkar Relationship added related to 0004703
2019-03-29 15:12 Paul Hunkar Note Added: 0010079
2019-04-02 15:26 Jim Luth Assigned To => Matthias Damm
2019-04-02 15:26 Jim Luth Status new => assigned
2019-04-06 11:31 Bernd Edlinger Relationship added related to 0002822
2019-04-06 11:50 Bernd Edlinger Note Added: 0010142
2020-03-04 22:01 Matthias Damm Status assigned => resolved
2020-03-04 22:01 Matthias Damm Resolution open => fixed
2020-03-04 22:01 Matthias Damm Note Added: 0011669
2020-03-04 22:01 Jim Luth Status resolved => closed
2020-03-04 22:01 Jim Luth Fixed in Version => 1.05
2020-03-04 22:01 Jim Luth Note Added: 0011670
2022-11-02 17:11 Paul Hunkar Status closed => feedback
2022-11-02 17:11 Paul Hunkar Resolution fixed => reopened
2022-11-02 17:11 Paul Hunkar Note Added: 0018091
2023-03-20 05:00 Matthias Damm Status feedback => resolved
2023-03-20 05:00 Matthias Damm Resolution reopened => fixed
2023-03-20 05:00 Matthias Damm Note Added: 0018903
2023-03-21 19:57 Jim Luth Status resolved => closed
2023-03-21 19:57 Jim Luth Note Added: 0018946