[Servercert-wg] [EXTERNAL] Draft Ballot: Precertificates and OCSP

Wayne Thayer wthayer at mozilla.com
Fri Sep 20 14:39:33 MST 2019


Bruce,

On Fri, Sep 20, 2019 at 2:18 PM Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:

> Hi Wayne,
>
>
>
> In summary, does this mean that a precertificate is a certificate per RFC
> 5280 with the exception of RFC 5280 section 4.1.2.2, and as such, OCSP
> should respond to the status of a precertificate as if a certificate has
> been issued?
>
>
>
That's a good way to think about it, especially in the context of BR 4.9.10.

I can argue that this change isn't needed because what we're really saying
is that the existence of a precertificate indicates that a certificate
exists, thus the OCSP response must comply with section 4.9.10. However, we
know there are cases when that assumption isn't true, so this change
attempts to permit a "good" OCSP response for a precertificate without
getting into a debate over whether the precertificate IS a certificate.

Thanks,

Wayne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190920/2c728f6a/attachment.html>


More information about the Servercert-wg mailing list