[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Rob Stradling rob at sectigo.com
Mon Oct 21 07:53:18 MST 2019


On 18/10/2019 17:13, Jeremy Rowley via Servercert-wg wrote:
<snip>
> 2) If there is an issue, and the CA only creates a Precertificate, but 
> does not create a Certificate, what is the expected response?
> 
> Same as above. I can’t tell what it should be because I can’t tell if 
> the BRs are supposed to apply to OCSP for pre-certs.

OCSP is the Online *Certificate* Status Protocol.  Its purpose is to 
provide status information about *certificates*.  OCSP does not provide 
status information about things that are not certificates.

Currently the BRs say that precertificates are not certificates, which 
(in my view) implicitly forbids CAs from providing status information 
via OCSP about precertificates (unless a corresponding certificate has 
been issued).

We need to either:
(1) Stop saying "precertificates are not certificates" in the BRs, so 
that precertificates become in scope for OCSP.
or
(2) Invent OPSP (Online Precertificate Status Protocol).
or
(3) Continue forbidding (in the BRs) CAs from providing OCSP status for 
precertificates, and somehow persuade the root programs to be happy with 
that.

I prefer (1), and I think it's the only sensible way forward.  RFC6962 
and at least one root program already declare that CTv1 precertificates 
*are* certificates, and I think it's entirely reasonable for relying 
parties to want to obtain status information for "certificates presumed 
to exist based on the presence of a Precertificate" (quoting 
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates).

Therefore, I still favour the SC23 draft ballot language that I've 
already endorsed.

-- 
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited


More information about the Servercert-wg mailing list