[cabfpub] CT Precertificates and the BRs

Erwann Abalea erwann.abalea at keynectis.com
Tue Jan 7 08:47:36 MST 2014


Le 07/01/2014 13:14, Rob Stradling a écrit :
> I've changed my mind.  I no longer think that a CT Precertificate (with
> the same Issuer Name/Key and Serial Number as the corresponding SSL
> Certificate) is currently illegal under the BRs.
>
> The current scope of the BRs is "Certificates intended to be used for
> authenticating servers accessible through the Internet".  A CT
> Precertificate is only intended to be used to verify that the CA and the
> CT Log(s) are doing CT stuff correctly.  It's the corresponding SSL
> Certificate that is intended to be used for authenticating server(s).

I think it's a dangerous reading. It could be stretched to authorize 
several colliding {issuerDN,serialNumber} certificates as long as only 
one of those certificates is "intended to be used for authenticating 
servers accessible through the Internet" (since it's the rationale 
you're using).
For example, {issuerDN="C=US,O=BadCA", serialNumber=1} could be 
associated to such a TLS certificate and a TSP certificate and an Adobe 
signing certificate and even an OCSP responder.



More information about the Public mailing list