On 17/09/2019 08:01, Kurt Roeckx via dev-security-policy wrote:
> On 2019-09-16 14:02, Rob Stradling wrote:
>> ISTM that this "certificate presumed to exist" concept doesn't play
>> nicely with the current wording of BR 4.9.10:
>>     'If the OCSP responder receives a request for status of a certificate
>>      that has not been issued, then the responder SHOULD NOT respond with
>>      a "good" status.'
>> If a certificate (with embedded SCTs and no CT poison extension) is
>> "presumed to exist" but the CA has not actually issued it, then to my
>> mind that's a "certificate that has not been issued"; and therefore, the
>> OCSP 'responder SHOULD NOT respond with a "good" status'.
> The problem of course is that you don't query OCSP about a certificate, 
> you query it about a serial number. And that serial number has been 
> issued. So maybe the BRs should say serial number instead of certificate?

Hi Kurt.  I agree, hence why I proposed:

   "- I would also like to see BR 4.9.10 revised to say something roughly
along these lines:
    'If the OCSP responder receives a status request for a serial number
     that has not been allocated by the CA, then the responder SHOULD NOT
     respond with a "good" status.'"

Rob Stradling
Senior Research & Development Scientist
Email: r...@sectigo.com

dev-security-policy mailing list

Reply via email to