OK - thanks. On Thu, Apr 21, 2022 at 3:58 PM Andrew Ayer <[email protected]> wrote:
> I think Jacob's language (with your change to use "final certificate") > is good and would be OK replacing the first bullet with it. I'm also > OK with leaving the first bullet, but it seems redundant with the > new and improved language. > > Regards, > Andrew > > On Thu, 21 Apr 2022 15:48:34 -0600 > Ben Wilson <[email protected]> wrote: > > > Jacob and Andrew, > > > > What if I just added this underlined language without replacing the > > first bullet? > > > > "Precertificates are in-scope for enforcing compliance with these > > requirements. *It is mississuance to issue a final certificate based > > on a precertificate if they do not exactly match each other according > > to RFC 6962 section 3.1. A final certificate is 'based on' a > > precertificate if they have the same serial and issuer, or they have > > the same serial and the final certificate's issuer matches the > > precertificate's issuer's issuer.* Thus, ..." > > > > Ben > > > > On Thu, Apr 21, 2022 at 3:07 PM Ben Wilson <[email protected]> > > wrote: > > > > > Should it say "final certificate" in this bullet? > > > > > > On Thu, Apr 21, 2022 at 11:15 AM Jacob Hoffman-Andrews < > > > [email protected]> wrote: > > > > > >> On Wed, Apr 20, 2022 at 6:19 AM Andrew Ayer <[email protected]> > > >> wrote: > > >> > > >>> As I understand it, the goal of this bullet point is not to add an > > >>> exception to misissuance, but to make sure that there is zero > > >>> ambiguity that incidents like the following are misissuances: > > >>> > > >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1677737 > > >> > > >> > > >> This is useful context, thanks. FWIW, I don't think the current > > >> wording achieves that goal, since it is still quite hard to parse, > > >> even for someone who understands the requirements and how they > > >> interact. > > >> > > >> Here's another take: > > >> > > >> - "It is mississuance to issue a certificate based on a > > >> precertificate if they do not exactly match each other according > > >> to RFC 6962 section 3.1. A certificate is 'based on' a > > >> precertificate if they have the same serial and issuer, or they > > >> have the same serial and the certificate's issuer matches the > > >> precertificate's issuer's issuer." > > >> > > > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabjTviJ8M7A1u-7VDud7UcQXz3apxmV3L243UOKxzCGfw%40mail.gmail.com.
