On 19/09/2019 21:01, Ryan Sleevi wrote: <snip> > It would be helpful for one of the relevant documents, or another > document, or even an errata, to clarify that OCSP services can be > offered for pre-certificates. It’s merely a question of clarifying > the technical requirements about how an OCSP service should operate, > as those requirements currently can be read to not allow OCSP > responses for non-certificates. > > > I'm still not sure I agree with the conflict, which is the key. In > either event, we're arguably discussing a profile / the operational > constraints specific to a given CA, and not something general with the > protocol. Whether or not a pre-certificate is treated as equivalent > issuance is, ultimately, a policy question.
Tim, Ryan, I just started a thread on the TRANS list about this. Please could I ask you to take this discussion there? -- Rob Stradling Senior Research & Development Scientist Sectigo Limited _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
