[Servercert-wg] Draft Ballot: Precertificates and OCSP

Jacob Hoffman-Andrews jsha at letsencrypt.org
Fri Sep 20 15:40:10 MST 2019


Thanks for drafting this!

On Fri, Sep 20, 2019 at 2:05 PM Wayne Thayer via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> For purposes of clarification, a Precertificate, as described in RFC 6962
> – Certificate Transparency, shall not be considered to be a “certificate”
> subject to the serial number uniqueness requirements of section 4.1.2.2 of
> RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and
> Certificate Revocation List (CRL) Profile under these Baseline Requirements.
>

There's a hole in this where you could issue hundreds of precertificates
all with the same serial number. Arguably that hole exists in the current
BRs as well. How about:

For purposes of clarification, any Precertificate MAY have the same serial
number as exactly one certificate that is not a Precertificate, provided
that the two are related as described in RFC 6962. This is a modification
of the uniqueness requirements of RFC 5280 section 4.1.2.2.


> If the OCSP responder receives a request for status of a certificate that
> has not been issued, then the responder SHOULD NOT respond with a "good"
> status. OCSP responders for CAs which are not Technically Constrained in
> line with Section 7.1.5 MUST NOT respond with a "good" status for such
> certificates. The CA SHOULD monitor the responder for such requests as part
> of its security response procedures.
>

If we're aiming to clarify this language we should switch it around so the
most salient part is first:

If the OCSP responder receives a request for status of a certificate that
has not been issued, then the responder MUST NOT respond with a "good"
status. As an exception, CAs which are Technically constrained in line with
Section 7.1.5  MAY, respond with a "good" status to such requests, but this
is NOT RECOMMENDED. All CAs SHOULD monitor the responder for such requests
as part of its security response procedures.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190920/e2a5f4b4/attachment.html>


More information about the Servercert-wg mailing list