There's two separable questions here: 1) Should CAs log final certificates after they issue a certificate with embedded SCTs: My answer, yes. 2) Should CAs issue final certificates if they discover they are misissued after logging the pre-certificate.
The answers to (1) and (2) do not need to be the same. Alex On Thu, Apr 5, 2018 at 3:05 PM, Jakob Bohm via dev-security-policy < [email protected]> wrote: > On 04/04/2018 04:27, Matt Palmer wrote: > >> On Tue, Apr 03, 2018 at 01:49:58AM +0200, Jakob Bohm via >> dev-security-policy wrote: >> >>> On 02/04/2018 18:26, Tom Delmas wrote: >>> >>>> Following the discussion on >>>> https://community.letsencrypt.org/t/non-logging-of-final-cer >>>> tificates/58394 >>>> >>>> What is the position of Mozilla about the submission to ct-logs of the >>>> final certificate when there is already a pre-certificate? >>>> >>>> As it helps discover bugs ( >>>> https://twitter.com/_quirins/status/979788044994834434 ), it helps >>>> accountability of CAs and it's easily enforceable, I feel that it should >>>> be mandatory. >>>> >>> >>> If such a policy were to be enacted, an alternative to submitting the >>> final certificate should be to revoke the certificate in both a >>> published CRL and in OCSP. It would be counter to security to require >>> issuance in the few cases where misissuance is detected between CT >>> Pre-cert logging and actual issuance. >>> >> >> Logging the precert is considered demonstration of intent to issue, and is >> considered misissuance to the exact same degree as actually issuing the >> cert. So revoke or whatever, you still done goofed, and so you should be >> checking for misissuance *before* you log the precert, not afterwards. >> >> > Of cause, I am just saying we should not force CAs to make a misissuance > worse in the rare cases where they /actually/ spot the mistake between > precert signing and actual cert signing. > > Remember, a precert generates only the danger that the cert might be > issued with an embedded CT proof, all other dangers only materialize if > and when the cert is actually issued. > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy

