On Thu, Apr 05, 2018 at 09:05:07PM +0200, Jakob Bohm via dev-security-policy wrote: > On 04/04/2018 04:27, Matt Palmer wrote: > > On Tue, Apr 03, 2018 at 01:49:58AM +0200, Jakob Bohm via > > dev-security-policy wrote: > > > On 02/04/2018 18:26, Tom Delmas wrote: > > > > Following the discussion on > > > > https://community.letsencrypt.org/t/non-logging-of-final-certificates/58394 > > > > > > > > What is the position of Mozilla about the submission to ct-logs of the > > > > final certificate when there is already a pre-certificate? > > > > > > > > As it helps discover bugs ( > > > > https://twitter.com/_quirins/status/979788044994834434 ), it helps > > > > accountability of CAs and it's easily enforceable, I feel that it should > > > > be mandatory. > > > > > > If such a policy were to be enacted, an alternative to submitting the > > > final certificate should be to revoke the certificate in both a > > > published CRL and in OCSP. It would be counter to security to require > > > issuance in the few cases where misissuance is detected between CT > > > Pre-cert logging and actual issuance. > > > > Logging the precert is considered demonstration of intent to issue, and is > > considered misissuance to the exact same degree as actually issuing the > > cert. So revoke or whatever, you still done goofed, and so you should be > > checking for misissuance *before* you log the precert, not afterwards. > > Of cause, I am just saying we should not force CAs to make a misissuance > worse in the rare cases where they /actually/ spot the mistake between > precert signing and actual cert signing.
Who is forcing CAs to misissue a certificate? - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
