We’ve been following the discussions regarding how OCSP responders should 
handle Precertificates without corresponding certificates and what the 
appropriate response indicator should be (good, revoked, or unknown). 

Based on the recent clarifications at [1], we want to inform the community that 
Apple’s OCSP responders return a status of “unknown” for Precertificates 
without a corresponding certificate. We have identified one Precertificate that 
did not result in a corresponding certificate for which our OCSP responders are 
returning a status of “unknown” (https://crt.sh/?id=1368484681).

We’ve updated the OCSP responders to respond “good” for that Precertificate and 
a long-term fix is in progress.

We appreciate the efforts being made to amend the Mozilla Root Store Policy to 
explicitly address matters relating to Certificate Transparency.

dev-security-policy mailing list

Reply via email to