On 16/09/2019 18:08, Andrew Ayer wrote: > On Fri, 13 Sep 2019 08:22:21 +0000 > Rob Stradling via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > >> Thinking aloud... >> Does anything need to be clarified in 6962-bis though? > > Yes, it's long past time that we clarified what this means:
Thanks Andrew. I'll start a thread on the TRANS list to discuss this. > "This signature indicates the CA's intent to issue the certificate. This > intent is considered binding (i.e., misissuance of the precertificate is > considered equivalent to misissuance of the corresponding certificate)." > > The goal is that a precertificate signature creates an unrebuttable > presumption that the CA has issued the corresponding certificate. If a > CA issues a precertificate, outside observers will treat the CA as if > it had issued the corresponding certificate - whether or not the CA > really did - so the CA should behave accordingly. > > It's worth explicitly mentioning the implications of this: > > * The CA needs to operate revocation services for the corresponding > certificate as if the certificate had been issued. > > * If the corresponding certificate would be misissued, the CA will be > treated as if it had really issued that certificate. > > Are there any other implications that 6962-bis should call out > explicitly? > > Regards, > Andrew > -- Rob Stradling Senior Research & Development Scientist Sectigo Limited _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy