[cabfpub] CT Precertificates and the BRs
Rob Stradling
rob.stradling at comodo.com
Thu Dec 19 08:25:00 MST 2013
On 19/12/13 15:01, Phillip Hallam-Baker wrote:
> We have a pre-certificate standard already, its called a CSR.
That's true.
> It might not have all the fields we need yet.
Indeed. It doesn't have all the fields we need.
> But I am very unhappy with CAs signing anything that looks like a certificate but is not a certificate.
Currently, a CT Precertificate looks like a certificate and _is_ a
certificate.
> There must be no possible way that CT could compromise the existing WebPKI
Sure. If there are 2 certs (a Certificate and its associated CT
Precertificate) with the same Issuer Name and Serial Number, what
exactly would break in the WebPKI?
The inability to revoke one without also revoking the other is actually
a requirement (not a problem) in this case.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
More information about the Public
mailing list