Separate from the "final" / "corresponding" question, I find this phrasing confusing:
> " * if a corresponding certificate cannot be verified as matching a > precertificate using the algorithms in RFC 6962, then two distinct > corresponding certificates are presumed to exist, and it is misissuance if > the two corresponding certificates have the same serial number and issuer, > even if only one corresponding certificate actually exists;" > In particular the "if" in "it is misissuance if" is confusing, since it's actually unconditional: given that - the precertificate and the corresponding/final certificate exist, - have the same serial number, - either have the same issuer or are related via a Precertificate signing certificate - and don't match per RFC 6962 Then there's a misissuance; there's no "if" because the corresponding certificate that is presumed to exist is presumed to have the same serial and issuer. Also "matching a precertificate" is ambiguous: does it mean "a specific precertificate" or "any precertificate?" For context, Andrew's original reason for proposing this text was: > When a Precertificate Signing Certificate is used, the issuer of a > precertificate and its corresponding certificate are not the same, but > there could still be a duplicate serial number violation. The duplicate serial number violation can happen when there are two corresponding certificates with the same issuer and serial, right? But that seems to be covered by the straightforward "no duplicate serials" rule. No exemption to the "no duplicate serials" rule need apply for setups with Precertificate Signing Certificates, because those setups specifically avoid the "same issuer and serial" problem. Here's my stab at it, knowing this has been discussed many times before and it's challenging to write well: - "It is misissuance for two or more certificates to be issued with the same issuer and serial, with one exception: if exactly two certificates are issued with the same issuer and serial, and one of them is a precertificate, and one of them corresponds to that precertificate, it is not misissuance." -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAN3x4Qn9%2BLhGd9AG2qQfxEHjRjxBV%2B8F0P62vO2D_CeMi7jL7A%40mail.gmail.com.
