That may well be the conclusion, that the benefits of total disclosure outweigh
the costs in this type of scenario. I just wanted to point out that there IS a
cost to at least consider. Yes, the certificate might have been seen in
transmission between the CA and the customer, yes the customer
I think (3) shouldn't be considered any different from (1) -- they're only
meaningfully different if you make a lot of assumptions about how it's
stored and transported at every point from when the HSM signs the TBS to
the certificates final resting place (on someone's disk? in their email
inbox?
#2 seems like an obvious "no" to me as, at that point, you're only compounding
a mistake and making that mistake actually usable in the public PKI if you
proceed to issue the certificate. In practice I can't imagine this scenario
coming up much, but the policy shouldn't mandate doing this.
I
On 06/04/2018 03:04, Matt Palmer wrote:
On Thu, Apr 05, 2018 at 09:05:07PM +0200, Jakob Bohm via dev-security-policy
wrote:
On 04/04/2018 04:27, Matt Palmer wrote:
On Tue, Apr 03, 2018 at 01:49:58AM +0200, Jakob Bohm via dev-security-policy
wrote:
On 02/04/2018 18:26, Tom Delmas wrote:
On Thu, Apr 05, 2018 at 09:05:07PM +0200, Jakob Bohm via dev-security-policy
wrote:
> On 04/04/2018 04:27, Matt Palmer wrote:
> > On Tue, Apr 03, 2018 at 01:49:58AM +0200, Jakob Bohm via
> > dev-security-policy wrote:
> > > On 02/04/2018 18:26, Tom Delmas wrote:
> > > > Following the discussion
There's two separable questions here:
1) Should CAs log final certificates after they issue a certificate with
embedded SCTs: My answer, yes.
2) Should CAs issue final certificates if they discover they are misissued
after logging the pre-certificate.
The answers to (1) and (2) do not need to be
On Tue, Apr 03, 2018 at 01:49:58AM +0200, Jakob Bohm via dev-security-policy
wrote:
> On 02/04/2018 18:26, Tom Delmas wrote:
> > Following the discussion on
> > https://community.letsencrypt.org/t/non-logging-of-final-certificates/58394
> >
> > What is the position of Mozilla about the
On 02/04/2018 18:26, Tom Delmas wrote:
Following the discussion on
https://community.letsencrypt.org/t/non-logging-of-final-certificates/58394
What is the position of Mozilla about the submission to ct-logs of the
final certificate when there is already a pre-certificate?
As it helps
Mozilla currently doesn't have any policy with respect to Certificate
Transparency, so I think diving in on this particular point is putting the
cart before the horse :-)
Currently Firefox does not check/require SCT presence nor does the Mozilla
root program require certificates to be logged.
Following the discussion on
https://community.letsencrypt.org/t/non-logging-of-final-certificates/58394
What is the position of Mozilla about the submission to ct-logs of the
final certificate when there is already a pre-certificate?
As it helps discover bugs (
10 matches
Mail list logo