On Fri, 13 Sep 2019 08:22:21 +0000 Rob Stradling via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Thinking aloud... > Does anything need to be clarified in 6962-bis though? Yes, it's long past time that we clarified what this means: "This signature indicates the CA's intent to issue the certificate. This intent is considered binding (i.e., misissuance of the precertificate is considered equivalent to misissuance of the corresponding certificate)." The goal is that a precertificate signature creates an unrebuttable presumption that the CA has issued the corresponding certificate. If a CA issues a precertificate, outside observers will treat the CA as if it had issued the corresponding certificate - whether or not the CA really did - so the CA should behave accordingly. It's worth explicitly mentioning the implications of this: * The CA needs to operate revocation services for the corresponding certificate as if the certificate had been issued. * If the corresponding certificate would be misissued, the CA will be treated as if it had really issued that certificate. Are there any other implications that 6962-bis should call out explicitly? Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
