If an OCSP server supports returning (or always returns) properties of 
the actual cert, such as the CT proofs, then it really cannot do its 
usual "good" responses until the process of retrieving CT proofs and 
creating the final TBScertificate (and possibly signing it) has been 

Thus as a practical matter, treating a sign-CT-sign-CT in-process state 
as "unknown serial, may issue in future" may often be the only practical 

Now depending on interpretations, I am unsure if returning "revoked" for 
the general case of "unknown serial, may issue in future" would violate 
the ban on unrevoking certificates.

On 31/08/2019 17:07, Jeremy Rowley wrote:
> Obviously I think good is the best answer based on my previous posts. A 
> precert is still a cert. But I can see how people could disagree with me.
> ________________________________
> From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> on 
> behalf of Jeremy Rowley via dev-security-policy 
> <dev-security-policy@lists.mozilla.org>
> Sent: Saturday, August 31, 2019 9:05:24 AM
> To: Tomas Gustavsson <tomasshred...@gmail.com>; 
> mozilla-dev-security-pol...@lists.mozilla.org 
> <mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” 
> for Some Precertificates
> I dont recall the cab forum ever contemplating or discussing  ocsp for 
> precertificates. The requirement to provide responses is pretty clear, but 
> what that response should be is a little confusing imo.
> ...


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded 
dev-security-policy mailing list

Reply via email to