On Saturday, 20 May 2017 15:49:44 UTC+1, Michael Casadevall wrote: > Sanity check here, but I thought that OCSP-CT-Stapling required SCTs to > be created at the time of issuance. Not sure if there's a way to > backdate this requirement. If this is only intended for the new roots > then just a point of clarification.
Issuance of the certificate? No, I don't think so. For a typical big CA which is creating its OCSP responses in advance and then serving the canned responses via a CDN, obviously the SCTs need to be known when that's done, but that doesn't seem too hard to arrange. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
