On Thu, Sep 19, 2019 at 2:55 PM Tim Hollebeek <tim.holleb...@digicert.com>

> I also don’t think it’s helpful to try to redefine long-standing and
> well-understood terminology like what it means to issue a certificate.  In
> fact, I just checked, and using a definition like “reserving a serial
> number” causes many of the issuance requirements in RFC 5280 to be
> non-sensical.

It was DigiCert that introduced me to this way of thinking, when they
similarly argued that revocation is the process of marking a serial number
revoked within an internal database, rather than the publication of a CRL
or OCSP response.

> It would be helpful for one of the relevant documents, or another
> document, or even an errata, to clarify that OCSP services can be offered
> for pre-certificates.  It’s merely a question of clarifying the technical
> requirements about how an OCSP service should operate, as those
> requirements currently can be read to not allow OCSP responses for
> non-certificates.

I'm still not sure I agree with the conflict, which is the key. In either
event, we're arguably discussing a profile / the operational constraints
specific to a given CA, and not something general with the protocol.
Whether or not a pre-certificate is treated as equivalent issuance is,
ultimately, a policy question.
dev-security-policy mailing list

Reply via email to