[cabfpub] Draft Ballot 134 - Application of RFC 5280 to Precertificates

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Wed Oct 1 10:07:24 MST 2014


I don't think the extended discussion of my proposed ballot (Ballot 134) on whether RFC 5280 applies to precerts has reached any clear consensus.

I'm thinking of amending Ballot 134 to read as follows (and we should amend the title of the ballot to be "Application of RFC 5280 to Precertificates" or something similar - no exemptions required).

Here is my proposed new Ballot 134 - comments welcome.


Appendix B - Certificate Extensions (Normative); Application of RFC 5280

This appendix specifies the requirements for Certificate extensions for Certificates generated after the Effective Date. ***

(5) Application of RFC 5280



For purposes of clarification, a Precertificate as described in RFC 6962 - Certificate Transparency shall not be considered to be a "certificate" subject to the requirements of RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile under these Baseline Requirements.


Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088





-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Wednesday, October 01, 2014 10:00 AM
To: Ben Laurie; Brian Smith
Cc: CABFPub
Subject: Re: [cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation



Will someone please provide me, on-list (or off-list), with a suggested course of action on how to bring closure to this issue with a ballot?



-----Original Message-----

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Laurie

Sent: Wednesday, October 1, 2014 10:50 AM

To: Brian Smith

Cc: CABFPub

Subject: Re: [cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation



On 26 September 2014 20:34, Brian Smith <brian at briansmith.org<mailto:brian at briansmith.org>> wrote:

> On Fri, Sep 26, 2014 at 3:54 AM, Ben Laurie <benl at google.com<mailto:benl at google.com>> wrote:

>> On 26 September 2014 07:43, Man Ho (Certizen) <manho at certizen.com<mailto:manho at certizen.com>> wrote:

>>> Does any existing certificate issuing software support "duplicate"

>>> certificate (that mean the issuer, same serial number, same public

>>> key, same subject info.) in the system? If not, many CAs will not be

>>> able to issue pre-cert.

>>

>> Pre-certs do not require duplication - you can always issue them via

>> an intermediate.

>

> Ben, most of my messages in this thread are about exactly that. The

> RFC is ambiguous (at best) about the what the issuer field of a

> precertificate signed by a precertificate signing certificate is.

> Above, you've chosen one particular interpretation, which is probably

> what y'all intended when you wrote the RFC. But, the RFC doesn't

> actual say that. In particular, the RFC seems to say that the issuer

> field of the precertificate should be the subject of the final issuer,

> not the subject of the precertificate signing certificate. And then

> the precertificate signing certificate mechanism doesn't solve the

> duplicate serial number issue.



The RFC says:



"If the Precertificate is not signed with the

   CA certificate that will issue the final certificate, then the

   TBSCertificate also has its issuer changed to that of the CA that

   will issue the final certificate"

_______________________________________________

Public mailing list

Public at cabforum.org<mailto:Public at cabforum.org>

https://cabforum.org/mailman/listinfo/public

_______________________________________________

Public mailing list

Public at cabforum.org<mailto:Public at cabforum.org>

https://cabforum.org/mailman/listinfo/public

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141001/5d350063/attachment.html 


More information about the Public mailing list