Hi Ben, Comments inline:
> - if any certificates with the same serial number and issuer > exist, and one cannot be verified as the precertificate matching the > final certificate using the algorithms in RFC 9162, this will be > considered misissuance; 1. No one has implemented RFC 9162 and its algorithms for precertificate/certificate reconstruction are not the same as RFC 6962's, so the above reference should be changed to RFC 6962. Although RFC 9162 does add some good clarifying language that also applies to CT version 1 (e.g. Section 3.2.1), it is for the most part a brand new, incompatible protocol, and in general Mozilla policy needs to reference RFC 6962 because it describes the system that is actually deployed. 2. When a Precertificate Signing Certificate is used, the issuer of a precertificate and its corresponding certificate are not the same, but there could still be a duplicate serial number violation. I propose this text instead: "If a final certificate cannot be verified as matching a precertificate using the algorithms in RFC 6962, then two distinct final certificates are presumed to exist, and it is misissuance if the two final certificates have the same serial number and issuer, even if only one final certificate actually exists." > - issuance of a precertificate that does not comply with this > policy is considered equal to misissuance of a final certificate; This language is very similar to the language in RFC 6962 which has caused a lot of confusion so I would be more explicit. I propose: "If a precertificate implies the existence of a final certificate that does not comply with this policy, it is considered misissuance of the final certificate, even if the certificate does not actually exist." > - a CA must be able to revoke a certificate presumed to exist, if > revocation of the certificate is required under this policy, even > if the final certificate does not actually exist; and > - a CA must provide CRL and OCSP services and responses in > accordance with this policy for all certificates presumed to exist > based on the presence of a precertificate, even if the certificate > does not actually exist. This is good language. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220116202444.8f991aef42b1ab2d41be1d49%40andrewayer.name.
