On 19/09/15 19:12, Brian Smith wrote:
> On Sat, Sep 19, 2015 at 7:20 AM, Gervase Markham <
ge...@mozilla.org> wrote:
>
>> Symantec just fired people for mis-issuing a
google.com 1-day pre-cert:
>
> By the way, Symantec didn't say "pre-cert," they said "certificates".
>
> Also, I we shouldn't be splitting hairs at the difference between
> pre-certificates and certificates as far as mis-issuance detection is
> concerned. If people think there is a meaningful (technical, legal, etc.)
> distinction between a pre-certificate being logged via CT and the
> corresponding certificate being logged in CT, then we should consider
> removing the pre-certificate mechanism from CT so that there's no doubts in
> that. My view is that there is no meaningful difference.
There is no meaningful difference. Anyone who thinks otherwise has not
read RFC6962 Section 3.1 properly. It says the following about
precertificate (mis)issuance...
"The signature on the TBSCertificate indicates the certificate
authority's intent to issue a certificate. This intent is considered
binding (i.e., misissuance of the Precertificate is considered equal
to misissuance of the final certificate)."
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online