Thanks, Andrew I think it will be really helpful for OCSP Watch to monitor compliance based on precertificates going forward.
Ben On Fri, Apr 22, 2022 at 7:37 AM Andrew Ayer <[email protected]> wrote: > I am concerned by effective date of October 1, 2022 for the last two > bullet points of Section 5.4 (Precertificates). Although some CAs have > argued that these are "new" requirements, they haven't explained _why_ > they need this amount of time to become compliant, and for the reasons I > previously stated > < > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/-yDazqfWzN8/m/FvyoY6KfCQAJ > >, > such a long phase-in period doesn't seem justifiable given the history. > > The second-to-last bullet point is especially important, and if Mozilla > doesn't enforce it until October, then for the next 5+ months, CAs will > be allowed to leave misissued certificates unrevoked by simply claiming > that they never issued a final certificate, which no one has any way of > verifying. > > Note that both of these bullet points are already implied by RFC6962's > statement that precertificates create a binding intent to issue a > certificate. CAs should not assume that other root programs have made > or will make an exception to RFC6962's implication. Apple and Chrome > likely have strong opinions here, since as CT-enforcing UAs, their > users have the most to lose from a weakening of a precertificate's > meaning. Unless these other root programs say otherwise, I will > continue reporting noncompliance observed by OCSP Watch even when the > only evidence of issuance is a precertificate. > > Regards, > Andrew > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab_Cdn8bLLPMEak-yJwzvZG_FaN_QoiNp1UCQfC%3Da-x%2BA%40mail.gmail.com.
