Jacob and Andrew, What if I just added this underlined language without replacing the first bullet?
"Precertificates are in-scope for enforcing compliance with these requirements. *It is mississuance to issue a final certificate based on a precertificate if they do not exactly match each other according to RFC 6962 section 3.1. A final certificate is 'based on' a precertificate if they have the same serial and issuer, or they have the same serial and the final certificate's issuer matches the precertificate's issuer's issuer.* Thus, ..." Ben On Thu, Apr 21, 2022 at 3:07 PM Ben Wilson <[email protected]> wrote: > Should it say "final certificate" in this bullet? > > On Thu, Apr 21, 2022 at 11:15 AM Jacob Hoffman-Andrews < > [email protected]> wrote: > >> On Wed, Apr 20, 2022 at 6:19 AM Andrew Ayer <[email protected]> wrote: >> >>> As I understand it, the goal of this bullet point is not to add an >>> exception to misissuance, but to make sure that there is zero ambiguity >>> that incidents like the following are misissuances: >>> >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1677737 >> >> >> This is useful context, thanks. FWIW, I don't think the current wording >> achieves that goal, since it is still quite hard to parse, even for someone >> who understands the requirements and how they interact. >> >> Here's another take: >> >> - "It is mississuance to issue a certificate based on a precertificate >> if they do not exactly match each other according to RFC 6962 section 3.1. >> A certificate is 'based on' a precertificate if they have the same serial >> and issuer, or they have the same serial and the certificate's issuer >> matches the precertificate's issuer's issuer." >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYa3uSHjR5f779w4QG_S9XTV%2BgbsoUb3-faBzt9zgY4-g%40mail.gmail.com.
