Thanks, Andrew Would this address your comments?
5.4 Precertificates Certificate Transparency precertificates are considered by Mozilla to be a binding intent to issue a certificate, as described in section 3.1 of RFC 6962, and thus in-scope for enforcing compliance with these requirements. Thus, · if a final certificate cannot be verified as matching a precertificate using the algorithms in RFC 6962, then two distinct final certificates are presumed to exist, and it is misissuance if the two final certificates have the same serial number and issuer, even if only one final certificate actually exists; · if a precertificate implies the existence of a final certificate that does not comply with this policy, it is considered misissuance of the final certificate, even if the certificate does not actually exist; · a CA must be able to revoke a certificate presumed to exist, if revocation of the certificate is required under this policy, even if the final certificate does not actually exist; and · a CA must provide CRL and OCSP services and responses in accordance with this policy for all certificates presumed to exist based on the presence of a precertificate, even if the certificate does not actually exist. On Thu, Apr 14, 2022 at 12:01 PM Andrew Ayer <[email protected]> wrote: > Hi Ben, > > My comments about the precertificates section haven't been fully addressed: > > > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/Co65loD9i-0/m/Trt4N9QQAgAJ > > Regards, > Andrew > > On Wed, 13 Apr 2022 11:18:24 -0600 > Ben Wilson <[email protected]> wrote: > > > All, > > > > Here are links helpful during your final review of version 2.8 of the > > Mozilla Root Store Policy (MRSP) : > > > > > https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.8/rootstore/policy.md > > > https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.8 > > (redlined) > > > > Please review the changes and provide any additional comments by the > > end of Tuesday, April 19, 2022. > > > > My plan is to move this version over to the Mozilla pkipolicy > > repository on Github > > <https://github.com/mozilla/pkipolicy/tree/master/rootstore>, and > > then I'll request that it be published on Mozilla's website > > < > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ > > > to replace version 2.7.1. > > > > Thanks, > > > > Ben > > > > -- > > You received this message because you are subscribed to the Google > > Groups "[email protected]" group. To unsubscribe from > > this group and stop receiving emails from it, send an email to > > [email protected]. To view this discussion > > on the web visit > > > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaby8DypMdN2ih3xF_nf0FoshtaKUes-KC%2Baxfi-3cRiqw%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZJ1hk9Lk%2BzpZcpAa%3DSePbuXU9XQKvD0JoFTTGFR8W%2B8Q%40mail.gmail.com.
