On Wed, Sep 11, 2019 at 10:09 PM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> This means, for example, that (i) a CA must provide OCSP services and > responses in accordance with the Mozilla policy for all pre-certificates as > if corresponding certificate exists and (ii) a CA must be able to revoke a > pre-certificate if revocation of the certificate is required under the > Mozilla policy and the corresponding certificate doesn't actually exist and > therefore cannot be revoked. > Should a CA using a precertificate signing certificate be required to provide OCSP services for their precertificates? Or is it on the relying party to calculate the proper OCSP request for the final certificate and send that instead? In other words, should we expect a CT-naïve OCSP checker to work normally when presented, e.g., with https://crt.sh/?id=1868433277? Alex _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy