I am concerned by effective date of October 1, 2022 for the last two bullet points of Section 5.4 (Precertificates). Although some CAs have argued that these are "new" requirements, they haven't explained _why_ they need this amount of time to become compliant, and for the reasons I previously stated <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/-yDazqfWzN8/m/FvyoY6KfCQAJ>, such a long phase-in period doesn't seem justifiable given the history.
The second-to-last bullet point is especially important, and if Mozilla doesn't enforce it until October, then for the next 5+ months, CAs will be allowed to leave misissued certificates unrevoked by simply claiming that they never issued a final certificate, which no one has any way of verifying. Note that both of these bullet points are already implied by RFC6962's statement that precertificates create a binding intent to issue a certificate. CAs should not assume that other root programs have made or will make an exception to RFC6962's implication. Apple and Chrome likely have strong opinions here, since as CT-enforcing UAs, their users have the most to lose from a weakening of a precertificate's meaning. Unless these other root programs say otherwise, I will continue reporting noncompliance observed by OCSP Watch even when the only evidence of issuance is a precertificate. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220422093718.8f1a01b8e1e4f42cbba3d4e8%40andrewayer.name.
