<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Sep 17, 2014 at 11:09 PM, <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a> <span dir="ltr"><<a href="mailto:kirk_hall@trendmicro.com" target="_blank">kirk_hall@trendmicro.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="color:windowtext;font-family:Calibri,sans-serif;font-size:11pt">To deal with the need to define pre-certificates, we could change the sentence to read as follows:</span><br></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:windowtext"><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-left:0.5in"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:windowtext">“In order to comply with the requirements of Certificate Transparency, CAs may use precertificates
<b><i><u>as defined in RFC 6962</u></i></b> and certificates that contain the same serial number and are issued from the same Subordinate CA Certificate.”</span></p></div></div></blockquote><div><br></div><div>This is not precise enough, because it doesn't say that the contents of the precertificate with (issuer, serial number) of (O=Example, 1234) must match the contents of the certificate with the same (issuer, serial number). Also, it doesn't exclude the possibility of multiple precertificates with the same (issuer, serial number). Also, RFC 6962 doesn't completely and unambiguously specify how the contents of a precertificate are compared to the contents of the final certificate.</div><div><br></div><div>Also, is it true that none of these precertificates would use the "(private)." redaction mechanism from the RFC6962bis? I assume so, since the redaction mechanism isn't in RFC6962 and is subject to change and/or even be removed.</div><div><br></div><div>Cheers,</div><div>Brian</div></div></div></div>