On 19/09/2019 21:01, Ryan Sleevi wrote:
<snip>
>     It would be helpful for one of the relevant documents, or another
>     document, or even an errata, to clarify that OCSP services can be
>     offered for pre-certificates.  It’s merely a question of clarifying
>     the technical requirements about how an OCSP service should operate,
>     as those requirements currently can be read to not allow OCSP
>     responses for non-certificates.
> 
> 
> I'm still not sure I agree with the conflict, which is the key. In 
> either event, we're arguably discussing a profile / the operational 
> constraints specific to a given CA, and not something general with the 
> protocol. Whether or not a pre-certificate is treated as equivalent 
> issuance is, ultimately, a policy question.

Tim, Ryan,

I just started a thread on the TRANS list about this.  Please could I 
ask you to take this discussion there?

-- 
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to