The language says you have to provide the response for the cert as if it exists, but the reality is that sending a response for the precert is the same as calculating the result for the certificate as if it exists and sending that. They are the same thing because the precert is treated the same as the final cert if the final cert doesn’t exist.
I believe the intent is that a CT-naïve OCSP checker would work normally when presented with a precert or a certificate. Afterall, a precert is really just a certificate with a special extension. From: Alex Cohn <a...@alexcohn.com> Sent: Thursday, September 12, 2019 9:25 AM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: Wayne Thayer <wtha...@mozilla.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert OCSP services returns 1 byte On Wed, Sep 11, 2019 at 10:09 PM Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: This means, for example, that (i) a CA must provide OCSP services and responses in accordance with the Mozilla policy for all pre-certificates as if corresponding certificate exists and (ii) a CA must be able to revoke a pre-certificate if revocation of the certificate is required under the Mozilla policy and the corresponding certificate doesn't actually exist and therefore cannot be revoked. Should a CA using a precertificate signing certificate be required to provide OCSP services for their precertificates? Or is it on the relying party to calculate the proper OCSP request for the final certificate and send that instead? In other words, should we expect a CT-naïve OCSP checker to work normally when presented, e.g., with https://crt.sh/?id=1868433277? Alex _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
