On 27/02/17 21:41, Ryan Sleevi wrote: > During a past discussion of precertificates, at > https://groups.google.com/d/msg/mozilla.dev.security.policy/siHOXppxE9k/0PLPVcktBAAJ > , Mozilla did not discuss whether or not it considered > precertificates misissuance, although one module peer (hi! it's me!) > suggested they were.
On this particular point, the CT RFC says that issuing a pre-certificate is a binding statement of intent to issue the certificate. Therefore, for example, one can exempt the cert itself from CAA checking if the pre-cert was checked. Therefore, I would say that we do consider mis-issued pre-certs as misissuance. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy