[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Oct 21 14:56:41 MST 2019

Sorry, Rob, I hadn't read this when I sent my prior message.

Is your only concern the *name* Online Certificate Status Protocol?  https://tools.ietf.org/html/rfc6960  OK, let's create a BR definition of "OPSC" for online pre-certificate status protocol, and say it will be conducted according to the provisions of RFC 6960 but for pre-certificates?

-----Original Message-----
From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Rob Stradling via Servercert-wg
Sent: Monday, October 21, 2019 7:53 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>; Ryan Sleevi <sleevi at google.com>
Subject: Re: [Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

On 18/10/2019 17:13, Jeremy Rowley via Servercert-wg wrote:
> 2) If there is an issue, and the CA only creates a Precertificate, but 
> does not create a Certificate, what is the expected response?
> Same as above. I can’t tell what it should be because I can’t tell if 
> the BRs are supposed to apply to OCSP for pre-certs.

OCSP is the Online *Certificate* Status Protocol.  Its purpose is to provide status information about *certificates*.  OCSP does not provide status information about things that are not certificates.

Currently the BRs say that precertificates are not certificates, which (in my view) implicitly forbids CAs from providing status information via OCSP about precertificates (unless a corresponding certificate has been issued).

We need to either:
(1) Stop saying "precertificates are not certificates" in the BRs, so that precertificates become in scope for OCSP.
(2) Invent OPSP (Online Precertificate Status Protocol).
(3) Continue forbidding (in the BRs) CAs from providing OCSP status for precertificates, and somehow persuade the root programs to be happy with that.

I prefer (1), and I think it's the only sensible way forward.  RFC6962 and at least one root program already declare that CTv1 precertificates
*are* certificates, and I think it's entirely reasonable for relying parties to want to obtain status information for "certificates presumed to exist based on the presence of a Precertificate" (quoting https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates).

Therefore, I still favour the SC23 draft ballot language that I've already endorsed.

Rob Stradling
Senior Research & Development Scientist
Sectigo Limited
Servercert-wg mailing list
Servercert-wg at cabforum.org

More information about the Servercert-wg mailing list