Thanks Curt. Reading between the lines of Ryan's and your response, I'm
thinking that we should specifically ban or limit the scope of "unknown"
responses somewhere - perhaps in the BRs. Otherwise I think RFC 6960 leaves
some room for a CA to argue that they are permitted to use that response in
situations such as the one you described.

On Wed, Sep 18, 2019 at 3:48 PM Curt Spann via dev-security-policy <> wrote:

> My interpretation is once a precertificate has been signed with the
> issuing CA key the corresponding OCSP service should only respond with
> "good" or "revoked". In this case an "unknown" response indicates the
> specific serial number for the issuing CA has not been assigned which isn’t
> the case. Since the serial number has been assigned the OCSP responder
> should know about the status of that serial number for the issuing CA. If
> there are no issues with the precertificate that would require its
> revocation the OCSP responder should respond with “good”. If the
> precertificate is classified as a misissuance (or any other reason that
> would require revocation) the OCSP responder should respond with “revoked”.
> - Curt
> _______________________________________________
> dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to