[cabfpub] CT Precertificates and the BRs
ben at digicert.com
Wed Dec 18 19:51:05 UTC 2013
I'm adding a 10-minute block of time on tomorrow's call to discuss this.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rob Stradling
Sent: Tuesday, December 17, 2013 6:18 AM
To: public at cabforum.org
Subject: [cabfpub] CT Precertificates and the BRs
RFC6962 (Certificate Transparency) permits a Precertificate to be signed by
the same CA Name/Key that signs the corresponding Certificate, and for the
Precertificate and Certificate to share the same Serial Number.
However, BRs Appendix B (4) says:
"All other fields and extensions MUST be set in accordance with RFC
Although the title of Appendix B is "Certificate Extensions", I think
"fields and extensions" must surely imply that "fields" are the
non-extension parts of a certificate (such as the serial number).
And since certificate serial numbers are not explicitly mentioned in
Appendix B, I have to conclude that certificate serial numbers "MUST be set
in accordance with RFC 5280".
RFC 5280 Section 18.104.22.168 says:
"The serial number...MUST be unique for each certificate issued by a
given CA (i.e., the issuer name and serial number identify a unique
It seems that the practice of using the same CA Name/Key to sign both a
Precertificate and Certificate is currently _illegal_ under the BRs.
RFC6962 also permits a Precertificate to be signed by a subordinate
Precertificate Signing Certificate. This approach doesn't violate
RFC5280 or the BRs, but some CAs will want to avoid the burden of managing a
Precertificate Signing Certificate for every subordinate CA they operate.
So, Ben Laurie and I have been working on some other possible solutions, but
our preferred outcome would be for both of the Precertificate signing
options in RFC6962 to be made legal.
Therefore, I would like to propose updating Appendix B of the BRs so that
CAs are permitted to sign a Precertificate and a Certificate (sharing the
same serial number) using the same CA Name/Key.
Would anybody have a problem with that?
Senior Research & Development Scientist
COMODO - Creating Trust Online
Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5453 bytes
Desc: not available
More information about the Public