[Servercert-wg] [EXTERNAL] Draft Ballot: Precertificates and OCSP
wthayer at mozilla.com
Fri Sep 20 14:39:33 MST 2019
On Fri, Sep 20, 2019 at 2:18 PM Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:
> Hi Wayne,
> In summary, does this mean that a precertificate is a certificate per RFC
> 5280 with the exception of RFC 5280 section 184.108.40.206, and as such, OCSP
> should respond to the status of a precertificate as if a certificate has
> been issued?
That's a good way to think about it, especially in the context of BR 4.9.10.
I can argue that this change isn't needed because what we're really saying
is that the existence of a precertificate indicates that a certificate
exists, thus the OCSP response must comply with section 4.9.10. However, we
know there are cases when that assumption isn't true, so this change
attempts to permit a "good" OCSP response for a precertificate without
getting into a debate over whether the precertificate IS a certificate.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Servercert-wg