On 19/09/15 19:12, Brian Smith wrote:
On Sat, Sep 19, 2015 at 7:20 AM, Gervase Markham <[email protected]> wrote:
Symantec just fired people for mis-issuing a google.com 1-day pre-cert:
By the way, Symantec didn't say "pre-cert," they said "certificates".
Also, I we shouldn't be splitting hairs at the difference between
pre-certificates and certificates as far as mis-issuance detection is
concerned. If people think there is a meaningful (technical, legal, etc.)
distinction between a pre-certificate being logged via CT and the
corresponding certificate being logged in CT, then we should consider
removing the pre-certificate mechanism from CT so that there's no doubts in
that. My view is that there is no meaningful difference.
There is no meaningful difference. Anyone who thinks otherwise has not
read RFC6962 Section 3.1 properly. It says the following about
precertificate (mis)issuance...
"The signature on the TBSCertificate indicates the certificate
authority's intent to issue a certificate. This intent is considered
binding (i.e., misissuance of the Precertificate is considered equal
to misissuance of the final certificate)."
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
