On Thu, Sep 19, 2019 at 2:55 PM Tim Hollebeek <tim.holleb...@digicert.com> wrote:
> I also don’t think it’s helpful to try to redefine long-standing and > well-understood terminology like what it means to issue a certificate. In > fact, I just checked, and using a definition like “reserving a serial > number” causes many of the issuance requirements in RFC 5280 to be > non-sensical. > It was DigiCert that introduced me to this way of thinking, when they similarly argued that revocation is the process of marking a serial number revoked within an internal database, rather than the publication of a CRL or OCSP response. https://groups.google.com/d/msg/mozilla.dev.security.policy/eV89JXcsBC0/7hkz9iJDAQAJ > It would be helpful for one of the relevant documents, or another > document, or even an errata, to clarify that OCSP services can be offered > for pre-certificates. It’s merely a question of clarifying the technical > requirements about how an OCSP service should operate, as those > requirements currently can be read to not allow OCSP responses for > non-certificates. > I'm still not sure I agree with the conflict, which is the key. In either event, we're arguably discussing a profile / the operational constraints specific to a given CA, and not something general with the protocol. Whether or not a pre-certificate is treated as equivalent issuance is, ultimately, a policy question. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
