Thanks Curt. Reading between the lines of Ryan's and your response, I'm thinking that we should specifically ban or limit the scope of "unknown" responses somewhere - perhaps in the BRs. Otherwise I think RFC 6960 leaves some room for a CA to argue that they are permitted to use that response in situations such as the one you described.
On Wed, Sep 18, 2019 at 3:48 PM Curt Spann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > My interpretation is once a precertificate has been signed with the > issuing CA key the corresponding OCSP service should only respond with > "good" or "revoked". In this case an "unknown" response indicates the > specific serial number for the issuing CA has not been assigned which isn’t > the case. Since the serial number has been assigned the OCSP responder > should know about the status of that serial number for the issuing CA. If > there are no issues with the precertificate that would require its > revocation the OCSP responder should respond with “good”. If the > precertificate is classified as a misissuance (or any other reason that > would require revocation) the OCSP responder should respond with “revoked”. > > - Curt > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy