[cabfpub] [TRANS] CA survey - CT Precertificate format in 6962-bis

Stephen Davidson S.Davidson at quovadisglobal.com
Fri Oct 3 12:44:32 UTC 2014

Hi Rob:

Thanks for this.  Here's my personal feedback:

1) Yes, implementing the ability to use the same serial in both the precert and actual cert is onerous for many CAs, but 
2) the CAs responsible for the vast majority of SSL issuance will have to make it happen as the Google EV implementation precedes the standards track.

I believe that the complexity of dealing with that non-unique serial has been at the heart of most CA resistance to CT, but the authors of CT considered it an essential requirement.

While I am grateful to have the difficulties of the non-unique serial acknowledged, it strikes me as fruitless to open discussion at this late stage.  CAs are already implementing CT:  it goes live in 89 days.

Best regards, Stephen

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rob Stradling
Sent: Thursday, October 02, 2014 5:36 PM
To: public at cabforum.org
Subject: [cabfpub] [TRANS] CA survey - CT Precertificate format in 6962-bis

[Only CABForum members can post to this list, hence why I'm forwarding this message from Melinda Shore]

Hi, all:

I co-chair the IETF "trans" working group, which is in the process
of developing a standards-track specification for certificate
transparency (logging).  We're trying to get a handle on the
potential impact of including serial numbers in precertificates.
Are there CAs who would otherwise implement CT but for whom
either needing to know the serial number of a certificate prior
to it being issued, or having to issue a certificate and precertificate
simultaneously would be 1) a complete non-starter, or 2)
excessively onerous?



Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Public mailing list
Public at cabforum.org

More information about the Public mailing list