The RFC says "misissuance of a precertificate is considered equal to misissuance of a final certificate". This raises an interesting question. Pre certificates are not required to comply with the Cab forum's BRs as they fall out of scope (not intended to be used for TLS authentication). Sha1 certs are only considered misissued because the BRs say issuance of a SHA1 certificate is prohibited. If the certificate is never issued, the misissuance never occurred because the precertificate was not missused (no reqs against SHA1 precerts) and a certificate in violation of the BRs was never created.
Rob Stradling <rob.stradl...@comodo.com> wrote: On 03/03/16 04:52, sanjay_m...@symantec.com wrote: > On Wednesday, March 2, 2016 at 7:07:23 AM UTC-8, Rob Stradling wrote: <snip> >> I couldn't help but notice this SHA-1 precertificate issued by Symantec >> a couple of days ago: >> https://crt.sh/?id=13407116&opt=cablint <snip> > Rob, Sanjay, thanks for investigating. > This was a pre-certificate. Our systems do not allow issuance of SHA-1 > certificates and no certificate was issued. Were you aware that RFC6962 says that "misissuance of the Precertificate is considered equal to misissuance of the final certificate"? > The pre-certificate was logged but then rejected. We are still investigating. What do you mean by "...but then rejected"? Serial number 64:a9:32:73:a4:19:d1:64:3f:6b:2d:a3:ca:97:f0:89 is not currently listed on the CRL. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
