On 10/08/17 19:35, Jeremy Rowley wrote:
> This is interesting.  We had one Sub CA who mis-issued some pre-certs but
> then never issued an actual certificate tied to the pre-certificate.  There
> was a previous Mozilla discussion (link coming) where mis-issuance of a
> pre-certificate was akin to mis-issuance of the certificate itself.  The
> pre-certificates were later revoked at our request.  If no actual
> certificate issued, the pre-cert falls out of scope of the BRs right? Since
> it can't be used for actual server transactions thanks to the poison
> extensions? Obviously they still fall within the Mozilla policy as they
> contain serverAuth in the EKU.  However, should they be reported as issues
> and should they be revoked in accordance with the BR?

I'm having trouble disentangling your questions from each other :-) But
yes, our position (and that of the CT RFC) is that "mis-issuance of a
pre-certificate is equivalent to mis-issuance of the certificate
itself", and therefore should be reported and dealt with just as if a
cert was mis-issued.

dev-security-policy mailing list

Reply via email to