On 16/09/2019 18:08, Andrew Ayer wrote:
> On Fri, 13 Sep 2019 08:22:21 +0000
> Rob Stradling via dev-security-policy
> <dev-security-policy@lists.mozilla.org> wrote:
>> Thinking aloud...
>> Does anything need to be clarified in 6962-bis though?
> Yes, it's long past time that we clarified what this means:

Thanks Andrew.  I'll start a thread on the TRANS list to discuss this.

> "This signature indicates the CA's intent to issue the certificate.  This
> intent is considered binding (i.e., misissuance of the precertificate is
> considered equivalent to misissuance of the corresponding certificate)."
> The goal is that a precertificate signature creates an unrebuttable
> presumption that the CA has issued the corresponding certificate. If a
> CA issues a precertificate, outside observers will treat the CA as if
> it had issued the corresponding certificate - whether or not the CA
> really did - so the CA should behave accordingly.
> It's worth explicitly mentioning the implications of this:
> * The CA needs to operate revocation services for the corresponding
> certificate as if the certificate had been issued.
> * If the corresponding certificate would be misissued, the CA will be
> treated as if it had really issued that certificate.
> Are there any other implications that 6962-bis should call out
> explicitly?
> Regards,
> Andrew

Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

dev-security-policy mailing list

Reply via email to