See https://github.com/BenWilson-Mozilla/pkipolicy/commit/55066357d674adb8da4b8ee20b5cd60cf2b6f8bd
On Thu, Apr 21, 2022 at 4:26 PM Ben Wilson <[email protected]> wrote: > OK - thanks. > > On Thu, Apr 21, 2022 at 3:58 PM Andrew Ayer <[email protected]> wrote: > >> I think Jacob's language (with your change to use "final certificate") >> is good and would be OK replacing the first bullet with it. I'm also >> OK with leaving the first bullet, but it seems redundant with the >> new and improved language. >> >> Regards, >> Andrew >> >> On Thu, 21 Apr 2022 15:48:34 -0600 >> Ben Wilson <[email protected]> wrote: >> >> > Jacob and Andrew, >> > >> > What if I just added this underlined language without replacing the >> > first bullet? >> > >> > "Precertificates are in-scope for enforcing compliance with these >> > requirements. *It is mississuance to issue a final certificate based >> > on a precertificate if they do not exactly match each other according >> > to RFC 6962 section 3.1. A final certificate is 'based on' a >> > precertificate if they have the same serial and issuer, or they have >> > the same serial and the final certificate's issuer matches the >> > precertificate's issuer's issuer.* Thus, ..." >> > >> > Ben >> > >> > On Thu, Apr 21, 2022 at 3:07 PM Ben Wilson <[email protected]> >> > wrote: >> > >> > > Should it say "final certificate" in this bullet? >> > > >> > > On Thu, Apr 21, 2022 at 11:15 AM Jacob Hoffman-Andrews < >> > > [email protected]> wrote: >> > > >> > >> On Wed, Apr 20, 2022 at 6:19 AM Andrew Ayer <[email protected]> >> > >> wrote: >> > >> >> > >>> As I understand it, the goal of this bullet point is not to add an >> > >>> exception to misissuance, but to make sure that there is zero >> > >>> ambiguity that incidents like the following are misissuances: >> > >>> >> > >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1677737 >> > >> >> > >> >> > >> This is useful context, thanks. FWIW, I don't think the current >> > >> wording achieves that goal, since it is still quite hard to parse, >> > >> even for someone who understands the requirements and how they >> > >> interact. >> > >> >> > >> Here's another take: >> > >> >> > >> - "It is mississuance to issue a certificate based on a >> > >> precertificate if they do not exactly match each other according >> > >> to RFC 6962 section 3.1. A certificate is 'based on' a >> > >> precertificate if they have the same serial and issuer, or they >> > >> have the same serial and the certificate's issuer matches the >> > >> precertificate's issuer's issuer." >> > >> >> > > >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabXxfbhPQKvVEjR50-c_FTDFJk4xq3oQgoa_cB444ivsg%40mail.gmail.com.
