[cabfpub] [TRANS] CA survey - CT Precertificate format in6962-bis

Jeremy.Rowley jeremy.rowley at digicert.com
Fri Oct 3 12:25:21 MST 2014


These "ORs" all assume that the auditors determine the precertificates 
are out of the scope of the BRs or that the BR reference to 5280 doesn't 
cover fields (only extensions).  No one wants to go through the 
conversation with their auditor that we just witnessed on the mailing 
list, which is why this ballot is necessary.  If it doesn't pass, the 
Forum is going to encourage opinion shopping.  I generally view this as 
a bad thing as it creates a "race to the bottom" for auditors.

Jeremy

On 10/3/2014 1:06 PM, Rob Stradling wrote:
> On 03/10/14 17:21, Rich Smith wrote:
>>
>>> -----Original Message-----
>>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>>> On Behalf Of Stephen Davidson
>>>
>> <snip>
>>     it goes live in 89 days.
>> </snip>
>> [RWS] Unless Ballot 134 fails to pass.  IF that happens, the CAs which issue
>> EV certificates will have a choice to make.  Either issue pre-certificates
>> with the same serial number in contravention of the EV Guidelines to comply
>> with Google's policy, and thereby risk failing their WebTrust or ETSI
>> compliance audit, OR not issue pre-certificates with the same serial number,
>> remain in compliance with the EV Guidelines, and let Google deal with the
>> site operators whose compliant EV certificates no longer work in Chrome.
> OR issue Precertificates, taking the view that Precertificates are out
> of scope for the BRs.
>
> OR issue Precertificates, taking the view that Precertificates are in
> scope for the BRs, but that duplicate serial numbers don't violate the
> BRs (because the BRs don't actually incorporate RFC5280 Section 4.1.2.2
> currently).
>
> Plenty of options.
>
>>> Best regards, Stephen
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>>> On Behalf Of Rob Stradling
>>> Sent: Thursday, October 02, 2014 5:36 PM
>>> To: public at cabforum.org
>>> Subject: [cabfpub] [TRANS] CA survey - CT Precertificate format in
>>> 6962-bis
>>>
>>> [Only CABForum members can post to this list, hence why I'm forwarding
>>> this message from Melinda Shore]
>>>
>>>
>>> Hi, all:
>>>
>>> I co-chair the IETF "trans" working group, which is in the process of
>>> developing a standards-track specification for certificate transparency
>>> (logging).  We're trying to get a handle on the potential impact of
>>> including serial numbers in precertificates.
>>> Are there CAs who would otherwise implement CT but for whom either
>>> needing to know the serial number of a certificate prior to it being
>>> issued, or having to issue a certificate and precertificate
>>> simultaneously would be 1) a complete non-starter, or 2) excessively
>>> onerous?
>>>
>>> Thanks,
>>>
>>> Melinda
>>>
>>>
>>> --
>>> Rob Stradling
>>> Senior Research & Development Scientist
>>> COMODO - Creating Trust Online
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public
>>>
>>>
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list