Hi Wayne, > > This means, for example, that (i) a CA must provide OCSP services and > > responses in accordance with Mozilla policy for all Precertificates as if > > the corresponding certificate exists, and (ii) a CA must be able to revoke > > a Precertificate if revocation of the certificate is required under Mozilla > > policy and the corresponding certificate doesn’t actually exist and > > therefore cannot be revoked. > > > > I will again welcome everyone's constructive feedback on this proposal, and > when there are no further comments I'll add this to our wiki.
I'm concerned that the last paragraph could be interpreted as requiring CAs to operate OCSP services for the literal precertificates issued by dedicated precert signing CAs, rather than the corresponding certificates. This is not intended or useful, and as Tim Shirley notes it would double the OCSP signing load for any CA using precert signing CAs. I think it's better to frame the language not as operating OCSP services for precertificates themselves, but for certificates presumed to exist based on the presence of a precertifiate (even if the certificate doesn't actually exist). Here's some suggested wording for the last paragraph: > This means, for example, that (i) a CA must provide OCSP services > and responses in accordance with Mozilla policy for all certificates > presumed to exist based on the presence of a Precertificate, even if the > certificate does not actually exist, and (ii) a CA must be able to revoke > a certificate presumed to exist, if revocation of the certificate is required > under Mozilla policy, even if the certificate does not actually exist. Regards, Andrew _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
