[cabfpub] [TRANS] CA survey - CT Precertificate format in6962-bis
rob.stradling at comodo.com
Fri Oct 3 08:26:04 MST 2014
On 03/10/14 13:44, Stephen Davidson wrote:
> Hi Rob:
> Thanks for this. Here's my personal feedback:
> 1) Yes, implementing the ability to use the same serial in both the precert and actual cert is onerous for many CAs, but
> 2) the CAs responsible for the vast majority of SSL issuance will have to make it happen as the Google EV implementation precedes the standards track.
The "vast majority of SSL issuance" does not reflect the number of
implementations that will exist of either RFC6962 or of the future
Standards Track CT RFC.
> I believe that the complexity of dealing with that non-unique serial has been at the heart of most CA resistance to CT, but the authors of CT considered it an essential requirement.
RFC6962 requires a Precertificate and the associated Certificate to both
be X.509 certificates and share exactly the same serial number.
However, 6962-bis is almost certainly going to change this somehow.
So, please imagine for now that a Precertificate doesn't have to have
the same serial number as the associated Certificate. Then consider
Melinda's question. Thanks.
> While I am grateful to have the difficulties of the non-unique serial acknowledged, it strikes me as fruitless to open discussion at this late stage.
RFC6962 is an Experimental RFC. To turn it into a Standards Track RFC,
we need to smooth its rough edges.
> CAs are already implementing CT: it goes live in 89 days.
And when the Standards Track RFC exists, CAs (and log servers and
browsers) will need to also implement that.
> Best regards, Stephen
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rob Stradling
> Sent: Thursday, October 02, 2014 5:36 PM
> To: public at cabforum.org
> Subject: [cabfpub] [TRANS] CA survey - CT Precertificate format in 6962-bis
> [Only CABForum members can post to this list, hence why I'm forwarding this message from Melinda Shore]
> Hi, all:
> I co-chair the IETF "trans" working group, which is in the process
> of developing a standards-track specification for certificate
> transparency (logging). We're trying to get a handle on the
> potential impact of including serial numbers in precertificates.
> Are there CAs who would otherwise implement CT but for whom
> either needing to know the serial number of a certificate prior
> to it being issued, or having to issue a certificate and precertificate
> simultaneously would be 1) a complete non-starter, or 2)
> excessively onerous?
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
COMODO CA Limited, Registered in England No. 04058690
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
More information about the Public