On Fri, Sep 20, 2019 at 4:56 AM Dimitris Zacharopoulos <ji...@it.auth.gr> wrote:
> <snip> > > Using the following practice as described in RFC 6960 should not be a > violation of the BRs. That is, answering revoked where a pre-certificate > has been issued but not the final certificate should be OK as long as the > response contains the Extended Revoked extension and the revocationReason > is certificateHold. With this practice, it is very clear that the final > certificate has > not been issued, so would this be considered a violation of the Mozilla > policy? > Yes, I think it would be a violation of Mozilla policy for a CA's OCSP responder to return a certificateHold reason in a response for a precertificate. As you noted, the BRs forbid certificate suspension. Mozilla assumes that a certificate corresponding to every precertificate exists, so the OCSP response would be interpreted as applying to a certificate and thus violating the BRs. In practice, I also think that Ryan has raised a good point about OCSP response caching. If a revoked response for a precertificate were supplied by a CA, would the Subscriber need to wait until that response expires before using the certificate, or else risk that some user agent has cached the revoked response? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy