[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation
Rob Stradling
rob.stradling at comodo.com
Thu Sep 18 09:08:00 UTC 2014
On 18/09/14 04:55, Brian Smith wrote:
> On Wed, Sep 17, 2014 at 7:01 PM, Kirk Hall wrote:
> __
>
> 1. Amend the Definitions as follows:____
>
> __ __
>
> Valid Certificate:**A Certificate that passes the validation
> procedure specified in RFC 5280 */_(except for the limited exemption
> provided in Appendix B)._/*
>
>
> This seems like a bad and unnecessary idea to me. The trans working
> group is already debating discussing the format of precertificates so
> that they are not syntactically-valid certificates for the
> standards-track CT mechanism. The version of CT Google and the CAs have
> implemented is an experiment, not a standard or proposed standard. The
> CAs can work around this issue by using the OCSP-based CT mechanism
> instead of the precertificate mechanism.
Hi Brian.
It would be great if OCSP Stapling was already deployed sufficiently
ubiquitously for this workaround to be viable. Unfortunately, it's
still not.
> Finally, IIUC, the only
> negative consequence of this that EV certificates won't get the EV
> indicator in Google Chrome. It doesn't affect any other clients, IIUC.
Correct. However, EV certificate holders really don't want to lose the
EV indicator in Chrome!
> IMO, it makes more sense to change the experiment than it does to
> (effectively) change the fundamental standards that all CABForum work is
> based on.
Maybe so, but I don't see any sign of Google's CT/EV plan being
derailed. Remember, it's already been 3 years since the DigiNotar
incident...
> Note that the use or non-use of a precertificate signing certificate has
> no bearing (IIUC) on whether the precertificate would be a duplicate of
> the final certificate, because the difference between Option 1 and
> Option 2 doesn't affect the issuer and serial number fields of the
> precertificate.
Not quite. The Precertificate's serial number is indeed the same with
both options. However, the Precertificate's issuer name and AKI are
different, depending on whether option 1 or 2 is used.
<snip>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
More information about the Public
mailing list