[cabfpub] CT Precertificates and the BRs

Rob Stradling rob.stradling at comodo.com
Thu Dec 19 00:40:03 UTC 2013

Thanks Ben.  I won't be on the call, but I look forward to reading the 
minutes.  :-)

On 18/12/13 19:51, Ben Wilson wrote:
> I'm adding a 10-minute block of time on tomorrow's call to discuss this.
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Rob Stradling
> Sent: Tuesday, December 17, 2013 6:18 AM
> To: public at cabforum.org
> Subject: [cabfpub] CT Precertificates and the BRs
> RFC6962 (Certificate Transparency) permits a Precertificate to be signed by
> the same CA Name/Key that signs the corresponding Certificate, and for the
> Precertificate and Certificate to share the same Serial Number.
> However, BRs Appendix B (4) says:
>      "All other fields and extensions MUST be set in accordance with RFC
>       5280."
> Although the title of Appendix B is "Certificate Extensions", I think
> "fields and extensions" must surely imply that "fields" are the
> non-extension parts of a certificate (such as the serial number).
> And since certificate serial numbers are not explicitly mentioned in
> Appendix B, I have to conclude that certificate serial numbers "MUST be set
> in accordance with RFC 5280".
> RFC 5280 Section says:
>      "The serial number...MUST be unique for each certificate issued by a
>       given CA (i.e., the issuer name and serial number identify a unique
>       certificate)".
> It seems that the practice of using the same CA Name/Key to sign both a
> Precertificate and Certificate is currently _illegal_ under the BRs.
> RFC6962 also permits a Precertificate to be signed by a subordinate
> Precertificate Signing Certificate.  This approach doesn't violate
> RFC5280 or the BRs, but some CAs will want to avoid the burden of managing a
> Precertificate Signing Certificate for every subordinate CA they operate.
> So, Ben Laurie and I have been working on some other possible solutions, but
> our preferred outcome would be for both of the Precertificate signing
> options in RFC6962 to be made legal.
> Therefore, I would like to propose updating Appendix B of the BRs so that
> CAs are permitted to sign a Precertificate and a Certificate (sharing the
> same serial number) using the same CA Name/Key.
> Would anybody have a problem with that?
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list