[cabfpub] CT Precertificates and the BRs
rob.stradling at comodo.com
Fri Dec 20 21:24:06 UTC 2013
On 20/12/13 16:34, Phillip Hallam-Baker wrote:
> If we are having to change policy to accommodate CT then I don't think
> the choice of using the serial number can be said to be working so well.
X.509 and the PKIX RFCs are not sacred texts. The BRs have deviated
from them on a few points already: allow non-critical Name Constraints,
disallow OCSP "good" for non-issued certs.
To repeat my question:
If there are 2 certs (a Certificate and its associated CT
Precertificate) with the same Issuer Name and Serial Number, what
exactly would break in the WebPKI?
An RFC6962 Precertificate/Certificate pair MUST be revoked together, so
from this point of view sharing the same Issuer Name and Serial Number
is actually desirable.
Yes, RFC6962-bis could specify a non-X509v3 format for Precertificates,
but that would be reinventing the wheel. Not impossible, but (for those
who have already implemented RFC6962 Precertificates, including me) not
What would be the tangible benefit(s) of disallowing the same Issuer
Name and Serial Number for a Precertificate/Certificate pair?
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public