I think that's perfectly clear but I wanted to double check in case "perfectly clear" was me misreading it. One thing that does come up a lot is whether a CA has to revoke a pre-certificate if the certificate doesn't actually issue. I think this has been adequately answered on the bug lists but would be good to codify.
For the language maybe: This means, for example, that (i) a CA must provide OCSP services and responses in accordance with the Mozilla policy for all pre-certificates as if corresponding certificate exists and (ii) a CA must be able to revoke a pre-certificate if revocation of the certificate is required under the Mozilla policy and the corresponding certificate doesn't actually exist and therefore cannot be revoked. ________________________________ From: Wayne Thayer <wtha...@mozilla.com> Sent: Wednesday, September 11, 2019 7:22:29 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: DigiCert OCSP services returns 1 byte Correct. That's what I intended to convey with the last sentence: This means, for example, that the requirements for OCSP for end-entity certificates apply even when a CA has issued a precertificate without issuing a corresponding certificate. Do you have any suggestions for how I can improve/clarify? On Wed, Sep 11, 2019 at 6:19 PM Jeremy Rowley <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>> wrote: Hey Wayne - I take it that this "Mozilla recognizes a precertificate as proof that a corresponding certificate has been issued" means a CA issuing a precert without the final cert must respond "good" unless the pre-cert is revoked? Responding unknown means the CA wouldn't know that they issued the cert, which means they disagree with the proof that a corresponding cert has been issued. Jeremy -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org<mailto:dev-security-policy-boun...@lists.mozilla.org>> On Behalf Of Wayne Thayer via dev-security-policy Sent: Wednesday, September 11, 2019 7:08 PM To: mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: DigiCert OCSP services returns 1 byte Mozilla has, to-date, not published policies related to Certificate Transparency, but this is a case where a clarification would be helpful. I propose adding the following language to our "Required Practices" wiki page [1]: The current implementation of Certificate Transparency does not provide any > way for Relying Parties to determine if a certificate corresponding to > a given precertificate has or has not been issued. It is only safe to > assume that a certificate corresponding to every precertificate exists. > > RFC 6962 states "The signature on the TBSCertificate indicates the > certificate authority's intent to issue a certificate. This intent is > considered binding (i.e., misissuance of the Precertificate is > considered equal to misissuance of the final certificate)." > > > > However, BR 7.1.2.5 state "For purposes of clarification, a > Precertificate, as described in RFC 6962 - Certificate Transparency, > shall not be considered to be a "certificate" subject to the > requirements of RFC > 5280 - Internet X.509 Public Key Infrastructure Certificate and > Certificate Revocation List (CRL) Profile under these Baseline Requirements." > > Mozilla interprets the BR language as a specific exception allowing > CAs to issue a precertificate containing the same serial number as the > subsequent certificate [2]. Mozilla recognizes a precertificate as > proof that a corresponding certificate has been issued. > > This means, for example, that the requirements for OCSP for end-entity > certificates apply even when a CA has issued a precertificate without > issuing a corresponding certificate. > I plan to add this to the wiki next week. I also plan to include this in in a future update to our Root Store Policy. I will greatly appreciate your constructive feedback on this proposal. - Wayne [1] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices [2] https://cabforum.org/pipermail/public/2014-January/002694.html On Thu, Aug 29, 2019 at 12:53 PM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: > Let me try that again since I didn't explain my original post very well. > Totally worth it since I got a sweet Yu-gi-oh reference out of fit. > > What happened at DigiCert is that the OCSP service failed to return a > signed response for a certificate where a pre-certificate existed by a > certificate had not issued for whatever reason. The question asked was > what type of OCSP services are required for a pre-cert if there is no > other certificate. The answer we came up with is it should respond > "GOOD" based on the Mozilla policy, not Unknown or any other response. > Note that this was a bug in the DigiCert system but it lead to a fun internal > discussion. > What I'm sharing is the outcome of the internal discussion - it's only > tangentially related to the bug, not the cause or remediation of it. > > Summary: Pre-certs require a standard OCSP response as if the pre-cert > was a normal cert. In fact, it's a mistake to ever think of pre-certs > as anything other than TLS certs, even if the poison extension exists. > > The question comes up because the BRs don't cover pre-certs. However, > as Ryan points out, the browsers sort-of cover this as does the > Mozilla policy. The browser say this is a promise to issue the cert > and mis-issuance of a pre-cert is the same as mis-issuance of a cert. > Although this isn't mis-issuance in the traditional profile sense, the > lack of OCSP services for the pre-cert is a violation of the Mozilla > policy. I couldn't figure out if it's a violation of the Chrome policy > since Chrome says it's a promise to issue a cert. If the cert hasn't > issued, then I'm not sure where that puts the OCSP service for Chrome. > Regardless, according to Mozilla's policy, the requirement is that > regardless of how long the cert takes to issue, the CA must provide > OCSP services for the pre-cert. The reason is Mozilla requires an OCSP > for each end-entity certificate listing an AIA in the certificate. Pre-certs > are end-entity certificates. > > Jeremy > > -----Original Message----- > From: dev-security-policy > <dev-security-policy-boun...@lists.mozilla.org<mailto:dev-security-policy-boun...@lists.mozilla.org>> > On Behalf Of Jeremy Rowley via dev-security-policy > Sent: Thursday, August 29, 2019 11:55 AM > To: Peter Bowen <pzbo...@gmail.com<mailto:pzbo...@gmail.com>>; Ryan Sleevi > <r...@sleevi.com<mailto:r...@sleevi.com>> > Cc: Curt Spann <csp...@apple.com<mailto:csp...@apple.com>>; > mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: DigiCert OCSP services returns 1 byte > > Yes. That was the point of my post. There is a requirement fo return > an ocsp repsonse for a pre cert where the cert hasn't issued because > of the Mozilla policy. Hence our failure was a Mozilla policy > violation even if no practical system can use the response because no > actual cert (without a posion extension) exists. > ________________________________ > From: Peter Bowen <pzbo...@gmail.com<mailto:pzbo...@gmail.com>> > Sent: Thursday, August 29, 2019 11:44:11 AM > To: Ryan Sleevi <r...@sleevi.com<mailto:r...@sleevi.com>> > Cc: Jeremy Rowley > <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>>; Curt Spann < > csp...@apple.com<mailto:csp...@apple.com>>; > mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> > < > mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>> > Subject: Re: DigiCert OCSP services returns 1 byte > > > > On Thu, Aug 29, 2019 at 10:38 AM Ryan Sleevi via dev-security-policy < > dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org><mailto: > dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>>> > wrote: > On Thu, Aug 29, 2019 at 1:15 PM Jeremy Rowley via dev-security-policy > < > dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org><mailto: > dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>>> > wrote: > > > Thanks for posting this Curt. We investigated and posted an > > incident report on Bugzilla. The root cause was related to pre-certs > > and an error in generating certificates for them. We're fixing the > > issue (should be done shortly). I figured it'd be good to document > > here why pre-certs fall under the requirement so there's no > > confusion for other > CAs. > > > > Oh, Jeremy, you were going so well on the bug, but now you've > activated my trap card (since you love the memes :) ) > > It's been repeatedly documented every time a CA tries to make this > argument. > > Would you suggest we remove that from the BRs? I'm wholly supportive > of this, since it's known I was not a fan of adding it to the BRs for > precisely this sort of creative interpretation. I believe you're now > the ... fourth... CA that's tried to skate on this? > > Multiple root programs have clarified: The existence of a > pre-certificate is seen as a binding committment, for purposes of > policy, by that CA, that it will or has issued an equivalent certificate. > > Is there a requirement that a CA return a valid OCSP response for a > pre-cert if they have not yet issued the equivalent certificate? > > Is there a requirement that a CA return a valid OCSP response for a > serial number that has never been assigned? I know of several OCSP > responders that return a HTTP error in this case. > > Thanks, > Peter > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
