From RFC6962: The signature on the TBSCertificate indicates the certificate authority's intent to issue a certificate. This intent is considered binding (i.e., misissuance of the Precertificate is considered equal to misissuance of the final certificate).
I don't think this text could be any more clear, and I'm frankly astounded that any CA would try to argue they shouldn't be held to account for them. If you wouldn't issue a cert, don't issue the pre-cert. It's really that simple. Alex On Thu, Aug 3, 2017 at 7:20 AM, Inigo Barreira via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We´re revoking all those unrevoked certs to avoid any more problems. > > Regarding the pre-certs, yes, I was aware of the discussion. As Gerv says > there´s a binding statement of "intent" ... the problem with these is that > we generated the pre-certs and logged in the CT log, where crt.sh looks or > monitor, but those weren´t finally issued, so there are not such certs. > In any case, as said, we´re revoking all of those listed and will update > the > bugzilla accordingly > > Best regards > > Iñigo Barreira > CEO > StartCom CA Limited > > -----Original Message----- > From: Patrick Figel [mailto:patrick@figel.email] > Sent: jueves, 3 de agosto de 2017 13:07 > To: Inigo Barreira <in...@startcomca.com>; Franck Leroy > <fr.le...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: StartCom cross-signs disclosed by Certinomis > > On 03/08/2017 10:47, Inigo Barreira via dev-security-policy wrote> 1. > The un-revoked test certificates are those pre-sign ones with uncompleted > > ctlog. So they are not completed certificates. > > https://crt.sh/?opt=cablint&id=134843670 > > https://crt.sh/?opt=cablint&id=134843674 > > https://crt.sh/?opt=cablint&id=134843685 > > https://crt.sh/?opt=cablint&id=139640371 > > My understanding of Mozilla's policy is that misissued precerts are > considered misissuance nonetheless[1]. > > [1]: > https://groups.google.com/d/msg/mozilla.dev.security. > policy/6pBLHJBFNts/kM3k > EJKMAgAJ > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
