For a two hour window yesterday we saw "ocsp.entrust.net" resolving to a CNAME of "ocsp.entrust.net.edgagekey.net" rather than the usual "ocsp.entrust.net.edgekey.net". Did anyone else see this?
Fortunately "edgagekey.net" is not a registered domain so these didn't go anywhere. These affected devices were Apple devices attempting to validate various hosts under "push.apple.com".
Since Entrust is a certificate authority for Apple, and Apple doesn't appear to have a CAA record, could an attacker have noticed what I presume is a misconfiguration by Entrust or Akamai, registered the edgagekey.net domain, and with some DNS poisoning have delivered signed but fraudulent Apple content?
In general, if a CA is delivering OCSP certificate status through a CDN, does that mean they are storing at least an intermediate private key on CDN servers?
Jun 10th 2019
5 months ago