[cabfpub] CT Precertificates and the BRs
Ben Laurie
benl at google.com
Thu Dec 19 10:48:25 UTC 2013
Unfortunately, I can't be on the call either (optician's appointment),
but would be happy to answer any questions (in advance or after).
On 19 December 2013 00:40, Rob Stradling <rob.stradling at comodo.com> wrote:
> Thanks Ben. I won't be on the call, but I look forward to reading the
> minutes. :-)
>
> On 18/12/13 19:51, Ben Wilson wrote:
>> I'm adding a 10-minute block of time on tomorrow's call to discuss this.
>>
>> -----Original Message-----
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
>> Behalf Of Rob Stradling
>> Sent: Tuesday, December 17, 2013 6:18 AM
>> To: public at cabforum.org
>> Subject: [cabfpub] CT Precertificates and the BRs
>>
>> RFC6962 (Certificate Transparency) permits a Precertificate to be signed by
>> the same CA Name/Key that signs the corresponding Certificate, and for the
>> Precertificate and Certificate to share the same Serial Number.
>>
>> However, BRs Appendix B (4) says:
>> "All other fields and extensions MUST be set in accordance with RFC
>> 5280."
>> Although the title of Appendix B is "Certificate Extensions", I think
>> "fields and extensions" must surely imply that "fields" are the
>> non-extension parts of a certificate (such as the serial number).
>> And since certificate serial numbers are not explicitly mentioned in
>> Appendix B, I have to conclude that certificate serial numbers "MUST be set
>> in accordance with RFC 5280".
>> RFC 5280 Section 4.1.2.2 says:
>> "The serial number...MUST be unique for each certificate issued by a
>> given CA (i.e., the issuer name and serial number identify a unique
>> certificate)".
>>
>> It seems that the practice of using the same CA Name/Key to sign both a
>> Precertificate and Certificate is currently _illegal_ under the BRs.
>>
>> RFC6962 also permits a Precertificate to be signed by a subordinate
>> Precertificate Signing Certificate. This approach doesn't violate
>> RFC5280 or the BRs, but some CAs will want to avoid the burden of managing a
>> Precertificate Signing Certificate for every subordinate CA they operate.
>> So, Ben Laurie and I have been working on some other possible solutions, but
>> our preferred outcome would be for both of the Precertificate signing
>> options in RFC6962 to be made legal.
>>
>> Therefore, I would like to propose updating Appendix B of the BRs so that
>> CAs are permitted to sign a Precertificate and a Certificate (sharing the
>> same serial number) using the same CA Name/Key.
>>
>> Would anybody have a problem with that?
>>
>> --
>> Rob Stradling
>> Senior Research & Development Scientist
>> COMODO - Creating Trust Online
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> Office Tel: +44.(0)1274.730505
> Office Fax: +44.(0)1274.730909
> www.comodo.com
>
> COMODO CA Limited, Registered in England No. 04058690
> Registered Office:
> 3rd Floor, 26 Office Village, Exchange Quay,
> Trafford Road, Salford, Manchester M5 3EQ
>
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this email in error please notify the
> sender by replying to the e-mail containing this attachment. Replies to
> this email may be monitored by COMODO for operational or business
> reasons. Whilst every endeavour is taken to ensure that e-mails are free
> from viruses, no liability can be accepted and the recipient is
> requested to use their own virus checking software.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list