[cabfpub] CT Precertificates and the BRs

Rob Stradling rob.stradling at comodo.com
Fri Jan 10 13:57:51 UTC 2014

On 07/01/14 15:47, Erwann Abalea wrote:
> Le 07/01/2014 13:14, Rob Stradling a écrit :
>> I've changed my mind.  I no longer think that a CT Precertificate (with
>> the same Issuer Name/Key and Serial Number as the corresponding SSL
>> Certificate) is currently illegal under the BRs.
>> The current scope of the BRs is "Certificates intended to be used for
>> authenticating servers accessible through the Internet".  A CT
>> Precertificate is only intended to be used to verify that the CA and the
>> CT Log(s) are doing CT stuff correctly.  It's the corresponding SSL
>> Certificate that is intended to be used for authenticating server(s).
> I think it's a dangerous reading. It could be stretched to authorize
> several colliding {issuerDN,serialNumber} certificates as long as only
> one of those certificates is "intended to be used for authenticating
> servers accessible through the Internet" (since it's the rationale
> you're using).
> For example, {issuerDN="C=US,O=BadCA", serialNumber=1} could be
> associated to such a TLS certificate and a TSP certificate and an Adobe
> signing certificate and even an OCSP responder.

I agree that there are some loopholes in the BRs that need to be fixed. 
  So let's fix them.

Meanwhile, I will continue to interpret the BRs based on what is 
actually written in the BRs.

The BRs need to say what they mean, and mean what they say.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list