At least for RFC 6962 (-bis is a different issue), pre-certs are certs
and so the duplication of (issuer name, serial number) between the
pre-cert and the cert is technically a violation of Mozilla policy; we
reserve the right not to include CAs who issue certs with "duplicate
issuer names and serial numbers".
We should make it clear that this is OK in the CT case. I propose the
following change:
duplicate issuer names and serial numbers;
->
duplicate issuer names and serial numbers (except that a Certificate
Transparency pre-certificate is allowed to match the corresponding
certificate);
This is:
https://github.com/mozilla/pkipolicy/issues/41
-------
This is a proposed update to Mozilla's root store policy for version
2.4. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.3 (current version):
https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates