On 20/09/2019 19:03, Erwann Abalea wrote: > In the case of a precert subordinate CA, the CRLDP and AIA:ocsp will > contain the URLs of the real CA (the one that issued the precert sub > CA). How is it supposed to work? In a CTv1 world.
Hi Erwann. In a CTv1 world, ISTM that the current situation is the same for CAs that do and for CAs that don't use a precert subordinate CA. 1. As far as Mozilla is concerned, it is now a "Required Practice" (but not yet "Policy") that a CA MUST provide OCSP status for a precertificate, acting as if the corresponding certificate has been issued (even if it hasn't actually (yet) been issued). 2. As far as other consumers of the CABForum Baseline Requirements are concerned, OCSP is a certificate status protocol, and (according to the BRs) a precertificate is not a certificate. Therefore, CAs (effectively) MUST NOT provide OCSP status for a precertificate, unless the corresponding certificate has actually been issued. To resolve this conflict, there is a draft ballot being discussed on the CABForum public list: https://cabforum.org/pipermail/servercert-wg/2019-September/001097.html Until this conflict is resolved, all WebPKI CAs are out of compliance with either 1 or 2. :-( > Le ven. 20 sept. 2019 à 15:52, Rob Stradling <[email protected] > <mailto:[email protected]>> a écrit : > > [This topic came up on mozilla.dev.security.policy recently. Although > the focus there is on the currently deployed CT v1 ecosystem, ISTM that > TRANS should consider if/how CT v2 (6962-bis) should address the > same issue] > > How should revocation servers behave when a precertificate exists but > the corresponding certificate has not yet been (or will never be) > issued? > > Should it be possible to revoke a precertificate when the corresponding > certificate has not been issued? > > In RFC6962, precertificates are X.509 certificates, and so it's not > unreasonable to expect OCSP responders to be able to provide their > status. However, 6962-bis precertificates are not X.509 certificates, > which I think changes what might or might not be a reasonable > expectation. > > Andrew points out (see forwarded message below) that outside observers > have to assume that a certificate has been issued when they see a > corresponding precertificate (since the presumed-to-exist certificate > may never be submitted to a log), and that outside observers will > expect > CAs to operate revocation services for the presumed-to-exist > certificates. > > Back to CT v1: Mozilla now requires [1] that... > "- A CA must provide OCSP services and responses in accordance with > Mozilla policy for all certificates presumed to exist based on the > presence of a Precertificate, even if the certificate does not actually > exist > - A CA must be able to revoke a certificate presumed to exist, if > revocation of the certificate is required under Mozilla policy, even if > the certificate does not actually exist." > > ISTM that we should address this topic in 6962-bis somehow, but what do > folks think we could say without straying into "policy"? > > > [1] > > https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates > > > -------- Forwarded Message -------- > Subject: Re: DigiCert OCSP services returns 1 byte > Date: Mon, 16 Sep 2019 10:08:00 -0700 > From: Andrew Ayer <[email protected] <mailto:[email protected]>> > To: Rob Stradling <[email protected] <mailto:[email protected]>> > CC: [email protected] > <mailto:[email protected]> > > On Fri, 13 Sep 2019 08:22:21 +0000 > Rob Stradling via dev-security-policy > <[email protected] > <mailto:[email protected]>> wrote: > > > Thinking aloud... > > Does anything need to be clarified in 6962-bis though? > > Yes, it's long past time that we clarified what this means: > > "This signature indicates the CA's intent to issue the certificate. > This > intent is considered binding (i.e., misissuance of the precertificate is > considered equivalent to misissuance of the corresponding certificate)." > > The goal is that a precertificate signature creates an unrebuttable > presumption that the CA has issued the corresponding certificate. If a > CA issues a precertificate, outside observers will treat the CA as if > it had issued the corresponding certificate - whether or not the CA > really did - so the CA should behave accordingly. > > It's worth explicitly mentioning the implications of this: > > * The CA needs to operate revocation services for the corresponding > certificate as if the certificate had been issued. > > * If the corresponding certificate would be misissued, the CA will be > treated as if it had really issued that certificate. > > Are there any other implications that 6962-bis should call out > explicitly? > > Regards, > Andrew > > _______________________________________________ > Trans mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/trans > > -- > Erwann. -- Rob Stradling Senior Research & Development Scientist Email: [email protected] Bradford, UK Office: +441274024707 Sectigo Limited This message and any files associated with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
