On 2019-09-16 14:02, Rob Stradling wrote:

ISTM that this "certificate presumed to exist" concept doesn't play
nicely with the current wording of BR 4.9.10:
    'If the OCSP responder receives a request for status of a certificate
     that has not been issued, then the responder SHOULD NOT respond with
     a "good" status.'

If a certificate (with embedded SCTs and no CT poison extension) is
"presumed to exist" but the CA has not actually issued it, then to my
mind that's a "certificate that has not been issued"; and therefore, the
OCSP 'responder SHOULD NOT respond with a "good" status'.

The problem of course is that you don't query OCSP about a certificate, you query it about a serial number. And that serial number has been issued. So maybe the BRs should say serial number instead of certificate?

dev-security-policy mailing list

Reply via email to