My interpretation is once a precertificate has been signed with the issuing CA key the corresponding OCSP service should only respond with "good" or "revoked". In this case an "unknown" response indicates the specific serial number for the issuing CA has not been assigned which isn’t the case. Since the serial number has been assigned the OCSP responder should know about the status of that serial number for the issuing CA. If there are no issues with the precertificate that would require its revocation the OCSP responder should respond with “good”. If the precertificate is classified as a misissuance (or any other reason that would require revocation) the OCSP responder should respond with “revoked”.
- Curt _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy