On Mon, Sep 23, 2019 at 02:53:26PM -0700, Andy Warner via dev-security-policy 
> 1. The new text added to the Mozilla Recommended and Required Practices for 
> this topic states only OCSP status is required for precertificates. Many CAs 
> provide both CRLs and OCSP services and it would be problematic if these two 
> mechanisms provided different answers to the same question. 
> The practice of revoking non-issued certificates would therefore lead to CRL 
> growth which would further make reliable revocation checking on bandwidth 
> constrained clients more difficult.

There have been suggestions to revoke them, but it's my
understanding that there is no such requirement.

> 2. There seem to be a number of assumptions that precertificate issuance and 
> certificate issuance is roughly atomic. In reality, a quorum of SCTs is 
> required prior to final certificate issuance, so that is not the case.

I don't see anybody suggesting that, nor how it's relevant.

With all the uptime requirements on the logs and the number of
available logs, I don't see why you should have a failure rate
of 1 in 2000, and that more seems like an implementation problem.

> 3. This raises the question of how much time a CA has from the time they 
> issue a precertificate to when the final certificate must be issued. When 
> there are logs ecosystem issues that are beyond the control of a CA, the gap 
> can easily be orders of magnitude higher than normal operating conditions.

At what is the issue with that?

> * Clarifications
> This in turn raises the question if CAs can re-use authorization data such as 
> CAA records or domain authorizations from the precertificate? If a final 
> certificate has not been issued due to a persistent quorum failure, and that 
> failure persists longer than the validity of the used authorization data, can 
> the authorizations that were done prior to the precertificate issuance be 
> re-used?

So 1 year is sometimes not enough to get SCTs?


dev-security-policy mailing list

Reply via email to