[cabfpub] CT Precertificates and the BRs
Erwann Abalea
erwann.abalea at keynectis.com
Tue Jan 7 08:47:36 MST 2014
Le 07/01/2014 13:14, Rob Stradling a écrit :
> I've changed my mind. I no longer think that a CT Precertificate (with
> the same Issuer Name/Key and Serial Number as the corresponding SSL
> Certificate) is currently illegal under the BRs.
>
> The current scope of the BRs is "Certificates intended to be used for
> authenticating servers accessible through the Internet". A CT
> Precertificate is only intended to be used to verify that the CA and the
> CT Log(s) are doing CT stuff correctly. It's the corresponding SSL
> Certificate that is intended to be used for authenticating server(s).
I think it's a dangerous reading. It could be stretched to authorize
several colliding {issuerDN,serialNumber} certificates as long as only
one of those certificates is "intended to be used for authenticating
servers accessible through the Internet" (since it's the rationale
you're using).
For example, {issuerDN="C=US,O=BadCA", serialNumber=1} could be
associated to such a TLS certificate and a TSP certificate and an Adobe
signing certificate and even an OCSP responder.
More information about the Public
mailing list