Hi Ryan, On Thu, 11 Apr 2024 16:11:00 -0400 "'Ryan Dickson' via CCADB Public" <[email protected]> wrote:
> Total number of pre-certificates: [if applicable, the total count > of pre-certificates affected by the issue(s) described in this > incident report, including expired and revoked pre-certificates] > > Total number of certificates: [if applicable, the total count of > "final" certificates affected by the issue(s) described in this > incident report, including expired and revoked certificates] > > Total number of "remaining valid" certificates: [if applicable, the > total count of "final" certificates affected by the issue(s) described in > this incident report, minus expired and revoked certificates. Minimally, > this set of certificates MUST be disclosed in the Appendix section of this > report.] I don't think it's a good idea to make a distinction between precertificates and final certificates in incident reporting. Though in rare cases a distinction makes sense (e.g. an encoding issue that only appears in one or the other), in the vast majority of incidents, certificates and precertificates are both equally good evidence of the underlying non-compliant issuance event. In particular, every precertificate implies the existence of a corresponding final certificate whether the CA says they issued it or not. Treating final certificates and precertificates as equivalent during incident reporting reinforces this rather important facet of CT. Treating them differently may give the impression that "precertificate misissuance" is less bad than "certificate misissuance", a corrosive idea that CAs have repeatedly tried to exploit. I'm also deeply uncomfortable with removing the requirement to disclose all affected certificates (or their equivalent precertificates). I would think that generating a list of affected certificates would be an easy byproduct of the investigation that CAs should be conducting anyways. This is particularly true if the CA is revoking the certificates, but even if the certificates are already expired, the CA should still be scanning their corpus to generate a count of affected certificates. Removing the requirement to produce this byproduct would at best be requiring third parties to duplicate work already done by the CA. At worst, it would allow CAs to cut corners in their investigations (e.g. by just guessing the number of affected certificates). If there is a way to reduce the overhead of generating the list, that's good to pursue (and it seems like allowing certificates and precertificates to be used interchangeably would help), but CAs should still be required to produce the list. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/20240415101326.94c029c0c9936380c196ad66%40andrewayer.name.
