On 17/09/2019 08:01, Kurt Roeckx via dev-security-policy wrote: > On 2019-09-16 14:02, Rob Stradling wrote: >> >> ISTM that this "certificate presumed to exist" concept doesn't play >> nicely with the current wording of BR 4.9.10: >> 'If the OCSP responder receives a request for status of a certificate >> that has not been issued, then the responder SHOULD NOT respond with >> a "good" status.' >> >> If a certificate (with embedded SCTs and no CT poison extension) is >> "presumed to exist" but the CA has not actually issued it, then to my >> mind that's a "certificate that has not been issued"; and therefore, the >> OCSP 'responder SHOULD NOT respond with a "good" status'. > > The problem of course is that you don't query OCSP about a certificate, > you query it about a serial number. And that serial number has been > issued. So maybe the BRs should say serial number instead of certificate?
Hi Kurt. I agree, hence why I proposed: "- I would also like to see BR 4.9.10 revised to say something roughly along these lines: 'If the OCSP responder receives a status request for a serial number that has not been allocated by the CA, then the responder SHOULD NOT respond with a "good" status.'" -- Rob Stradling Senior Research & Development Scientist Email: r...@sectigo.com _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy