We’ve been following the discussions regarding how OCSP responders should handle Precertificates without corresponding certificates and what the appropriate response indicator should be (good, revoked, or unknown).
Based on the recent clarifications at [1], we want to inform the community that Apple’s OCSP responders return a status of “unknown” for Precertificates without a corresponding certificate. We have identified one Precertificate that did not result in a corresponding certificate for which our OCSP responders are returning a status of “unknown” (https://crt.sh/?id=1368484681). We’ve updated the OCSP responders to respond “good” for that Precertificate and a long-term fix is in progress. We appreciate the efforts being made to amend the Mozilla Root Store Policy to explicitly address matters relating to Certificate Transparency. [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/24Fl9kc-AQAJ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy