There's two separable questions here:

1) Should CAs log final certificates after they issue a certificate with
embedded SCTs: My answer, yes.
2) Should CAs issue final certificates if they discover they are misissued
after logging the pre-certificate.

The answers to (1) and (2) do not need to be the same.

Alex

On Thu, Apr 5, 2018 at 3:05 PM, Jakob Bohm via dev-security-policy <
[email protected]> wrote:

> On 04/04/2018 04:27, Matt Palmer wrote:
>
>> On Tue, Apr 03, 2018 at 01:49:58AM +0200, Jakob Bohm via
>> dev-security-policy wrote:
>>
>>> On 02/04/2018 18:26, Tom Delmas wrote:
>>>
>>>> Following the discussion on
>>>> https://community.letsencrypt.org/t/non-logging-of-final-cer
>>>> tificates/58394
>>>>
>>>> What is the position of Mozilla about the submission to ct-logs of the
>>>> final certificate when there is already a pre-certificate?
>>>>
>>>> As it helps discover bugs (
>>>> https://twitter.com/_quirins/status/979788044994834434 ), it helps
>>>> accountability of CAs and it's easily enforceable, I feel that it should
>>>> be mandatory.
>>>>
>>>
>>> If such a policy were to be enacted, an alternative to submitting the
>>> final certificate should be to revoke the certificate in both a
>>> published CRL and in OCSP.  It would be counter to security to require
>>> issuance in the few cases where misissuance is detected between CT
>>> Pre-cert logging and actual issuance.
>>>
>>
>> Logging the precert is considered demonstration of intent to issue, and is
>> considered misissuance to the exact same degree as actually issuing the
>> cert.  So revoke or whatever, you still done goofed, and so you should be
>> checking for misissuance *before* you log the precert, not afterwards.
>>
>>
> Of cause, I am just saying we should not force CAs to make a misissuance
> worse in the rare cases where they /actually/ spot the mistake between
> precert signing and actual cert signing.
>
> Remember, a precert generates only the danger that the cert might be
> issued with an embedded CT proof, all other dangers only materialize if
> and when the cert is actually issued.
>
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
> _______________________________________________
> dev-security-policy mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to