I think Jacob's language (with your change to use "final certificate") is good and would be OK replacing the first bullet with it. I'm also OK with leaving the first bullet, but it seems redundant with the new and improved language.
Regards, Andrew On Thu, 21 Apr 2022 15:48:34 -0600 Ben Wilson <[email protected]> wrote: > Jacob and Andrew, > > What if I just added this underlined language without replacing the > first bullet? > > "Precertificates are in-scope for enforcing compliance with these > requirements. *It is mississuance to issue a final certificate based > on a precertificate if they do not exactly match each other according > to RFC 6962 section 3.1. A final certificate is 'based on' a > precertificate if they have the same serial and issuer, or they have > the same serial and the final certificate's issuer matches the > precertificate's issuer's issuer.* Thus, ..." > > Ben > > On Thu, Apr 21, 2022 at 3:07 PM Ben Wilson <[email protected]> > wrote: > > > Should it say "final certificate" in this bullet? > > > > On Thu, Apr 21, 2022 at 11:15 AM Jacob Hoffman-Andrews < > > [email protected]> wrote: > > > >> On Wed, Apr 20, 2022 at 6:19 AM Andrew Ayer <[email protected]> > >> wrote: > >> > >>> As I understand it, the goal of this bullet point is not to add an > >>> exception to misissuance, but to make sure that there is zero > >>> ambiguity that incidents like the following are misissuances: > >>> > >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1677737 > >> > >> > >> This is useful context, thanks. FWIW, I don't think the current > >> wording achieves that goal, since it is still quite hard to parse, > >> even for someone who understands the requirements and how they > >> interact. > >> > >> Here's another take: > >> > >> - "It is mississuance to issue a certificate based on a > >> precertificate if they do not exactly match each other according > >> to RFC 6962 section 3.1. A certificate is 'based on' a > >> precertificate if they have the same serial and issuer, or they > >> have the same serial and the certificate's issuer matches the > >> precertificate's issuer's issuer." > >> > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220421175806.540a31577a1223b0d03ceb59%40andrewayer.name.
