> On 12 Sep 2019, at 18:46, Jeremy Rowley via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > The language says you have to provide the response for the cert as if it > exists, but the reality is that sending a response for the precert is the > same as calculating the result for the certificate as if it exists and > sending that. They are the same thing because the precert is treated the same > as the final cert if the final cert doesn’t exist.
I could be horribly mistaken, but I think Alex was asking is: in the event that precertificates are not signed by the issuing CA’s private key, but rather by a separate signing key/certificate dedicated to that purpose (per RFC 6962, Section 3.1) - is there then an obligation to provide OCSP services for that, given that the (name-hash, key-hash) on the OCSP request would not be the same as that which would normally obtain for the final certificate, which is signed directly by the issuing CA key? It would _seem_ right that it should, since a pre-certificate could reasonably be revoked prior to issuing the final certificate, for several reasons. Yet it’s a reasonable follow-up question: would CAs who have such dedicated certificates make them available such that RPs could construct those OCSP requests? > I believe the intent is that a CT-naïve OCSP checker would work normally when > presented with a precert or a certificate. Afterall, a precert is really just > a certificate with a special extension. Would an OCSP server even be able to tell the difference? After all, it simply gets presented with a CA identifier (name-hash, key-hash) and a serial number. If it knows about that combination, it provides a response, but it’s got no way of knowing, absent extra information in its database whether the request pertains to a pre-cert or cert - in general. But see above for the case of dedicated precertificate signing certificates. Regards, Neil _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
