On 2019-09-16 14:02, Rob Stradling wrote:
ISTM that this "certificate presumed to exist" concept doesn't play nicely with the current wording of BR 4.9.10: 'If the OCSP responder receives a request for status of a certificate that has not been issued, then the responder SHOULD NOT respond with a "good" status.' If a certificate (with embedded SCTs and no CT poison extension) is "presumed to exist" but the CA has not actually issued it, then to my mind that's a "certificate that has not been issued"; and therefore, the OCSP 'responder SHOULD NOT respond with a "good" status'.
The problem of course is that you don't query OCSP about a certificate, you query it about a serial number. And that serial number has been issued. So maybe the BRs should say serial number instead of certificate?
Kurt _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy