[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation

Ben Laurie benl at google.com
Wed Oct 1 16:48:12 UTC 2014

On 26 September 2014 20:32, Brian Smith <brian at briansmith.org> wrote:
> On Thu, Sep 25, 2014 at 2:57 AM, Ben Laurie <benl at google.com> wrote:
>> It seems to me the important point is not exactly what goes in a
>> precert vs. a cert, but the fact that a precert is unusable as a cert.
>> So, I'd suggest the language says that its OK to issue a cert with the
>> same issuer/serial number as another cert if and only if the
>> "duplicate" cert contains the CT poison extension. Or perhaps more
>> precisely, of all the certs with the same serial number/issuer, only
>> one does _not_have the poison extension.
> The point of this ballot is that precertificates are supposed to be
> treated like certificates, except that they can duplicate the serial
> numbers of other certificates from the same issuer. There are a lot of
> surprising consequences of that. For example, if a precertificate is
> "mis-issued" then it needs to be revoked, even though it has the
> poison extension.

I'm not at all sure I agree with this - the pre-certificate is just a
vehicle for carrying information about the final certificate. It
contains the poison extension precisely so it _can't_ be treated like
a certificate. Therefore, it seems to me, it does not need revocation.

> This, and probably other things, can cause trouble
> if the contents of the precertificate are substantially different than
> the contents of the real certificate for which it is a duplicate
> according to the serial number/issuer. In order to minimize the
> chances of such unintended negative consequences, it is best to
> further constrain the contents of a precertificate to be exactly the
> contents of the certificate for which it is supposed to correspond.
> For example, let's say there is a precertificate (something with the
> poison extension) for foo.com, and there is a certificate (without the
> poison extension) for bar.com, and that both have the same serial
> number and issuer. That should be allowed according to you. But, the
> consequence is that revoking the precertificate for foo.com would
> adversely affect bar.com. I think it is unnecessary to allow such bad
> situations to occur.
> Again, I am sorry to be pedantic about this, but I think it is
> important to narrow the scope of the exception as much as possible, to
> minimize the possibility that it would have such negative
> consequences.
> Cheers,
> Brian

More information about the Public mailing list