[Servercert-wg] Draft Ballot: Precertificates and OCSP
jsha at letsencrypt.org
Fri Sep 20 15:40:10 MST 2019
Thanks for drafting this!
On Fri, Sep 20, 2019 at 2:05 PM Wayne Thayer via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> For purposes of clarification, a Precertificate, as described in RFC 6962
> – Certificate Transparency, shall not be considered to be a “certificate”
> subject to the serial number uniqueness requirements of section 188.8.131.52 of
> RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and
> Certificate Revocation List (CRL) Profile under these Baseline Requirements.
There's a hole in this where you could issue hundreds of precertificates
all with the same serial number. Arguably that hole exists in the current
BRs as well. How about:
For purposes of clarification, any Precertificate MAY have the same serial
number as exactly one certificate that is not a Precertificate, provided
that the two are related as described in RFC 6962. This is a modification
of the uniqueness requirements of RFC 5280 section 184.108.40.206.
> If the OCSP responder receives a request for status of a certificate that
> has not been issued, then the responder SHOULD NOT respond with a "good"
> status. OCSP responders for CAs which are not Technically Constrained in
> line with Section 7.1.5 MUST NOT respond with a "good" status for such
> certificates. The CA SHOULD monitor the responder for such requests as part
> of its security response procedures.
If we're aiming to clarify this language we should switch it around so the
most salient part is first:
If the OCSP responder receives a request for status of a certificate that
has not been issued, then the responder MUST NOT respond with a "good"
status. As an exception, CAs which are Technically constrained in line with
Section 7.1.5 MAY, respond with a "good" status to such requests, but this
is NOT RECOMMENDED. All CAs SHOULD monitor the responder for such requests
as part of its security response procedures.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Servercert-wg