[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates
Jeremy Rowley
jeremy.rowley at digicert.com
Mon Oct 21 09:00:01 MST 2019
Totally agree. This is similar to why I endorsed the ballot.
________________________________
From: Rob Stradling <rob at sectigo.com>
Sent: Monday, October 21, 2019, 8:53 AM
To: Jeremy Rowley; CA/B Forum Server Certificate WG Public Discussion List; Ryan Sleevi
Subject: Re: [Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates
On 18/10/2019 17:13, Jeremy Rowley via Servercert-wg wrote:
<snip>
> 2) If there is an issue, and the CA only creates a Precertificate, but
> does not create a Certificate, what is the expected response?
>
> Same as above. I can’t tell what it should be because I can’t tell if
> the BRs are supposed to apply to OCSP for pre-certs.
OCSP is the Online *Certificate* Status Protocol. Its purpose is to
provide status information about *certificates*. OCSP does not provide
status information about things that are not certificates.
Currently the BRs say that precertificates are not certificates, which
(in my view) implicitly forbids CAs from providing status information
via OCSP about precertificates (unless a corresponding certificate has
been issued).
We need to either:
(1) Stop saying "precertificates are not certificates" in the BRs, so
that precertificates become in scope for OCSP.
or
(2) Invent OPSP (Online Precertificate Status Protocol).
or
(3) Continue forbidding (in the BRs) CAs from providing OCSP status for
precertificates, and somehow persuade the root programs to be happy with
that.
I prefer (1), and I think it's the only sensible way forward. RFC6962
and at least one root program already declare that CTv1 precertificates
*are* certificates, and I think it's entirely reasonable for relying
parties to want to obtain status information for "certificates presumed
to exist based on the presence of a Precertificate" (quoting
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates).
Therefore, I still favour the SC23 draft ballot language that I've
already endorsed.
--
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191021/1f640872/attachment.html>
More information about the Servercert-wg
mailing list