[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates
Rob Stradling
rob at sectigo.com
Mon Oct 21 07:53:18 MST 2019
On 18/10/2019 17:13, Jeremy Rowley via Servercert-wg wrote:
<snip>
> 2) If there is an issue, and the CA only creates a Precertificate, but
> does not create a Certificate, what is the expected response?
>
> Same as above. I can’t tell what it should be because I can’t tell if
> the BRs are supposed to apply to OCSP for pre-certs.
OCSP is the Online *Certificate* Status Protocol. Its purpose is to
provide status information about *certificates*. OCSP does not provide
status information about things that are not certificates.
Currently the BRs say that precertificates are not certificates, which
(in my view) implicitly forbids CAs from providing status information
via OCSP about precertificates (unless a corresponding certificate has
been issued).
We need to either:
(1) Stop saying "precertificates are not certificates" in the BRs, so
that precertificates become in scope for OCSP.
or
(2) Invent OPSP (Online Precertificate Status Protocol).
or
(3) Continue forbidding (in the BRs) CAs from providing OCSP status for
precertificates, and somehow persuade the root programs to be happy with
that.
I prefer (1), and I think it's the only sensible way forward. RFC6962
and at least one root program already declare that CTv1 precertificates
*are* certificates, and I think it's entirely reasonable for relying
parties to want to obtain status information for "certificates presumed
to exist based on the presence of a Precertificate" (quoting
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates).
Therefore, I still favour the SC23 draft ballot language that I've
already endorsed.
--
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited
More information about the Servercert-wg
mailing list