On 17/09/2019 08:01, Kurt Roeckx via dev-security-policy wrote:
> On 2019-09-16 14:02, Rob Stradling wrote:
>>
>> ISTM that this "certificate presumed to exist" concept doesn't play
>> nicely with the current wording of BR 4.9.10:
>> 'If the OCSP responder receives a request for status of a certificate
>> that has not been issued, then the responder SHOULD NOT respond with
>> a "good" status.'
>>
>> If a certificate (with embedded SCTs and no CT poison extension) is
>> "presumed to exist" but the CA has not actually issued it, then to my
>> mind that's a "certificate that has not been issued"; and therefore, the
>> OCSP 'responder SHOULD NOT respond with a "good" status'.
>
> The problem of course is that you don't query OCSP about a certificate,
> you query it about a serial number. And that serial number has been
> issued. So maybe the BRs should say serial number instead of certificate?
Hi Kurt. I agree, hence why I proposed:
"- I would also like to see BR 4.9.10 revised to say something roughly
along these lines:
'If the OCSP responder receives a status request for a serial number
that has not been allocated by the CA, then the responder SHOULD NOT
respond with a "good" status.'"
--
Rob Stradling
Senior Research & Development Scientist
Email: r...@sectigo.com
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
