What about this language? ### 5.4 Precertificates ### The logging of a precertificate in a Certificate Transparency log is considered by Mozilla to be a binding intent to issue a final certificate, as described in [section 3.1 of RFC 6962][6962-3.1]. "Final certificate" means a certificate that is not a precertificate. Precertificates are in-scope for enforcing compliance with these requirements. Thus, * if a final certificate cannot be verified as matching a precertificate using the algorithms in RFC 6962, then two distinct final certificates are presumed to exist, and it is misissuance if the two final certificates have the same serial number and issuer, even if only one final certificate actually exists; * if a precertificate implies the existence of a final certificate that does not comply with this policy, it is considered misissuance of the final certificate, even if the certificate does not actually exist; * a CA must be able to revoke a certificate presumed to exist, if revocation of the certificate is required under this policy, even if the final certificate does not actually exist; and * a CA must provide CRL and OCSP services and responses in accordance with this policy for all certificates presumed to exist based on the presence of a precertificate, even if the certificate does not actually exist.
On Wed, Apr 20, 2022 at 8:00 AM Andrew Ayer <[email protected]> wrote: > On Tue, 19 Apr 2022 20:56:25 -0600 > Ben Wilson <[email protected]> wrote: > > > Hi Rob and Andrew, > > > > "Corresponding certificate" seems to work, but are you OK with this > > for the first bullet? > > > > " * if a corresponding certificate cannot be verified as matching a > > precertificate using the algorithms in RFC 6962, then two distinct > > corresponding certificates are presumed to exist, and it is > > misissuance if the two corresponding certificates have the same > > serial number and issuer, even if only one corresponding certificate > > actually exists;" > > I don't think "corresponding certificate" works here because only one of > the > corresponding certificates actually corresponds to an extant > precertificate. > > I think we should stick with "final certificate" and add a simple > definition: > > A certificate that is not a precertificate [RFC 6962]. > > Regards, > Andrew > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaagwJLhZp%2BVz7qfJko46U2%3DC7OU2jLVRjuYAMzKQRttRQ%40mail.gmail.com.
