All, This email introduces discussion of Github Issue #138 <https://github.com/mozilla/pkipolicy/issues/138>, which is to add section 5.4 to the Mozilla Root Store Policy to address Certificate Transparency precertificates.
While Mozilla does not have a policy requiring pre-publication of certificates via Certificate Transparency, we consider CT precertificates to be a binding intent to issue as described in RFC 9162, which raises a number of compliance issues when not done correctly. Thus, the MRSP needs to make certain statements about precertificates, as outlined below. Here is a redline: https://github.com/BenWilson-Mozilla/pkipolicy/commit/b1e085f4863a9e61b580fd838b2b3365e2e70822 The proposed text that would be added is: 5.4 Precertificates Certificate Transparency precertificates are considered by Mozilla to be a binding intent to issue a certificate, as described in section 3.2.1 of RFC 9162, and thus in-scope for enforcing compliance with these requirements. Thus, - if any certificates with the same serial number and issuer exist, and one cannot be verified as the precertificate matching the final certificate using the algorithms in RFC 9162, this will be considered misissuance; - issuance of a precertificate that does not comply with this policy is considered equal to misissuance of a final certificate; - a CA must be able to revoke a certificate presumed to exist, if revocation of the certificate is required under this policy, even if the final certificate does not actually exist; and - a CA must provide CRL and OCSP services and responses in accordance with this policy for all certificates presumed to exist based on the presence of a precertificate, even if the certificate does not actually exist. Please provide any comments in this thread. Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYTkZ29q8QdzHqazarZHcLFtCgD1n05vpemu4TGkXyQkg%40mail.gmail.com.
