I think that's good. Regards, Andrew
On Wed, 20 Apr 2022 08:32:07 -0600 Ben Wilson <[email protected]> wrote: > What about this language? > > ### 5.4 Precertificates ### > The logging of a precertificate in a Certificate Transparency log is > considered by Mozilla to be a binding intent to issue a final > certificate, as described in [section 3.1 of RFC 6962][6962-3.1]. > "Final certificate" means a certificate that is not a precertificate. > Precertificates are in-scope for enforcing compliance with these > requirements. Thus, > * if a final certificate cannot be verified as matching a > precertificate using the algorithms in RFC 6962, then two distinct > final certificates are presumed to exist, and it is misissuance if > the two final certificates have the same serial number and issuer, > even if only one final certificate actually exists; > * if a precertificate implies the existence of a final certificate > that does not comply with this policy, it is considered misissuance > of the final certificate, even if the certificate does not actually > exist; > * a CA must be able to revoke a certificate presumed to exist, if > revocation of the certificate is required under this policy, even if > the final certificate does not actually exist; and > * a CA must provide CRL and OCSP services and responses in accordance > with this policy for all certificates presumed to exist based on the > presence of a precertificate, even if the certificate does not > actually exist. > > On Wed, Apr 20, 2022 at 8:00 AM Andrew Ayer <[email protected]> > wrote: > > > On Tue, 19 Apr 2022 20:56:25 -0600 > > Ben Wilson <[email protected]> wrote: > > > > > Hi Rob and Andrew, > > > > > > "Corresponding certificate" seems to work, but are you OK with > > > this for the first bullet? > > > > > > " * if a corresponding certificate cannot be verified as matching > > > a precertificate using the algorithms in RFC 6962, then two > > > distinct corresponding certificates are presumed to exist, and it > > > is misissuance if the two corresponding certificates have the same > > > serial number and issuer, even if only one corresponding > > > certificate actually exists;" > > > > I don't think "corresponding certificate" works here because only > > one of the > > corresponding certificates actually corresponds to an extant > > precertificate. > > > > I think we should stick with "final certificate" and add a simple > > definition: > > > > A certificate that is not a precertificate [RFC 6962]. > > > > Regards, > > Andrew > > > > -- > You received this message because you are subscribed to the Google > Groups "[email protected]" group. To unsubscribe from > this group and stop receiving emails from it, send an email to > [email protected]. To view this discussion > on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaagwJLhZp%2BVz7qfJko46U2%3DC7OU2jLVRjuYAMzKQRttRQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220420103914.700cddfb6aee916740fade39%40andrewayer.name.
