During a quarterly internal review of the CA/B Forum baseline requirements, our team noticed that we may not be compliant with section 5.4.1.2.5. Further investigation confirmed that we were not.
Let’s Encrypt logs an audit log event when OCSP is signed upon initial certificate issuance. Subsequent updates to the OCSP response throughout a certificate’s 90 day lifetime are not logged as audit log events.
The CA/B Forum Baseline Requirements section 5.4.1.2.5 requires these events to be logged as an audit level event and stored for a period of time.
Revocation logs are properly logged as audit logs and not affected by this incident.
Timeline
- 2020-12-22: Internal audit detected that we were not compliant with the requirement that audit logs be kept on OCSP updates to subscriber certificates.
Remediation
- OCSP signing is a very high throughput service. This requires some consideration to our storage needs to adequately store the logs.
- A change to our Boulder CA software is needed to implement the logging.
- Our team will be working on both of these items with a target date of 2021-01-31 for completion.
We have posted this to Mozilla Bugzilla here: https://bugzilla.mozilla.org/show_bug.cgi?id=1684112