If an OCSP server supports returning (or always returns) properties of the actual cert, such as the CT proofs, then it really cannot do its usual "good" responses until the process of retrieving CT proofs and creating the final TBScertificate (and possibly signing it) has been completed.
Thus as a practical matter, treating a sign-CT-sign-CT in-process state as "unknown serial, may issue in future" may often be the only practical solution. Now depending on interpretations, I am unsure if returning "revoked" for the general case of "unknown serial, may issue in future" would violate the ban on unrevoking certificates. On 31/08/2019 17:07, Jeremy Rowley wrote: > Obviously I think good is the best answer based on my previous posts. A > precert is still a cert. But I can see how people could disagree with me. > ________________________________ > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> on > behalf of Jeremy Rowley via dev-security-policy > <dev-security-policy@lists.mozilla.org> > Sent: Saturday, August 31, 2019 9:05:24 AM > To: Tomas Gustavsson <tomasshred...@gmail.com>; > mozilla-dev-security-pol...@lists.mozilla.org > <mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” > for Some Precertificates > > I dont recall the cab forum ever contemplating or discussing ocsp for > precertificates. The requirement to provide responses is pretty clear, but > what that response should be is a little confusing imo. > ... Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy