[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation

Ben Laurie benl at google.com
Wed Oct 1 16:49:37 UTC 2014

On 26 September 2014 20:34, Brian Smith <brian at briansmith.org> wrote:
> On Fri, Sep 26, 2014 at 3:54 AM, Ben Laurie <benl at google.com> wrote:
>> On 26 September 2014 07:43, Man Ho (Certizen) <manho at certizen.com> wrote:
>>> Does any existing certificate issuing software support "duplicate"
>>> certificate (that mean the issuer, same serial number, same public key,
>>> same subject info.) in the system? If not, many CAs will not be able to
>>> issue pre-cert.
>> Pre-certs do not require duplication - you can always issue them via
>> an intermediate.
> Ben, most of my messages in this thread are about exactly that. The
> RFC is ambiguous (at best) about the what the issuer field of a
> precertificate signed by a precertificate signing certificate is.
> Above, you've chosen one particular interpretation, which is probably
> what y'all intended when you wrote the RFC. But, the RFC doesn't
> actual say that. In particular, the RFC seems to say that the issuer
> field of the precertificate should be the subject of the final issuer,
> not the subject of the precertificate signing certificate. And then
> the precertificate signing certificate mechanism doesn't solve the
> duplicate serial number issue.

The RFC says:

"If the Precertificate is not signed with the
   CA certificate that will issue the final certificate, then the
   TBSCertificate also has its issuer changed to that of the CA that
   will issue the final certificate"

More information about the Public mailing list