[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation

Ben Wilson ben.wilson at digicert.com
Wed Oct 1 10:00:29 MST 2014


Will someone please provide me, on-list (or off-list), with a suggested course of action on how to bring closure to this issue with a ballot?

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Laurie
Sent: Wednesday, October 1, 2014 10:50 AM
To: Brian Smith
Cc: CABFPub
Subject: Re: [cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation

On 26 September 2014 20:34, Brian Smith <brian at briansmith.org> wrote:
> On Fri, Sep 26, 2014 at 3:54 AM, Ben Laurie <benl at google.com> wrote:
>> On 26 September 2014 07:43, Man Ho (Certizen) <manho at certizen.com> wrote:
>>> Does any existing certificate issuing software support "duplicate"
>>> certificate (that mean the issuer, same serial number, same public 
>>> key, same subject info.) in the system? If not, many CAs will not be 
>>> able to issue pre-cert.
>>
>> Pre-certs do not require duplication - you can always issue them via 
>> an intermediate.
>
> Ben, most of my messages in this thread are about exactly that. The 
> RFC is ambiguous (at best) about the what the issuer field of a 
> precertificate signed by a precertificate signing certificate is.
> Above, you've chosen one particular interpretation, which is probably 
> what y'all intended when you wrote the RFC. But, the RFC doesn't 
> actual say that. In particular, the RFC seems to say that the issuer 
> field of the precertificate should be the subject of the final issuer, 
> not the subject of the precertificate signing certificate. And then 
> the precertificate signing certificate mechanism doesn't solve the 
> duplicate serial number issue.

The RFC says:

"If the Precertificate is not signed with the
   CA certificate that will issue the final certificate, then the
   TBSCertificate also has its issuer changed to that of the CA that
   will issue the final certificate"
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public


More information about the Public mailing list