Oh, I wasnt arguing that this isnt an issue. The opposite in fact.  I was 
documenting why it is an issue  ie, that a ca can't argue this isnt a 
compliance concern.  It comes up a lot but I dont remember seeing it here.

From: Ryan Sleevi
Sent: Thursday, August 29, 11:38 AM
Subject: Re: DigiCert OCSP services returns 1 byte
To: Jeremy Rowley
Cc: Curt Spann, mozilla-dev-security-pol...@lists.mozilla.org

On Thu, Aug 29, 2019 at 1:15 PM Jeremy Rowley via dev-security-policy 
Thanks for posting this Curt.  We investigated and posted an incident report on 
Bugzilla. The root cause was related to pre-certs and an error in generating 
certificates for them. We're fixing the issue (should be done shortly).  I 
figured it'd be good to document here why pre-certs fall under the requirement 
so there's no confusion for other CAs.

Oh, Jeremy, you were going so well on the bug, but now you've activated my trap 
card (since you love the memes :) )

It's been repeatedly documented every time a CA tries to make this argument.

Would you suggest we remove that from the BRs? I'm wholly supportive of this, 
since it's known I was not a fan of adding it to the BRs for precisely this 
sort of creative interpretation. I believe you're now the ... fourth... CA 
that's tried to skate on this?

Multiple root programs have clarified: The existence of a pre-certificate is 
seen as a binding committment, for purposes of policy, by that CA, that it will 
or has issued an equivalent certificate.

1) Has DigiCert reviewed the existing incident reports from other CAs?
2) What process does DigiCert have to review all compliance issues, regardless 
of the CA, so that it can examine its own systems for similar issues or be 
aware of relevant discussions and/or ambiguities?

(And, yes, it's a trap)

dev-security-policy mailing list

Reply via email to