[cabfpub] [TRANS] CA survey - CT Precertificate format in6962-bis

Rob Stradling rob.stradling at comodo.com
Fri Oct 3 15:26:04 UTC 2014

On 03/10/14 13:44, Stephen Davidson wrote:
> Hi Rob:

Hi Stephen.

> Thanks for this.  Here's my personal feedback:
> 1) Yes, implementing the ability to use the same serial in both the precert and actual cert is onerous for many CAs, but
> 2) the CAs responsible for the vast majority of SSL issuance will have to make it happen as the Google EV implementation precedes the standards track.

The "vast majority of SSL issuance" does not reflect the number of 
implementations that will exist of either RFC6962 or of the future 
Standards Track CT RFC.

> I believe that the complexity of dealing with that non-unique serial has been at the heart of most CA resistance to CT, but the authors of CT considered it an essential requirement.

RFC6962 requires a Precertificate and the associated Certificate to both 
be X.509 certificates and share exactly the same serial number. 
However, 6962-bis is almost certainly going to change this somehow.

So, please imagine for now that a Precertificate doesn't have to have 
the same serial number as the associated Certificate.  Then consider 
Melinda's question.  Thanks.

> While I am grateful to have the difficulties of the non-unique serial acknowledged, it strikes me as fruitless to open discussion at this late stage.

RFC6962 is an Experimental RFC.  To turn it into a Standards Track RFC, 
we need to smooth its rough edges.

> CAs are already implementing CT:  it goes live in 89 days.

And when the Standards Track RFC exists, CAs (and log servers and 
browsers) will need to also implement that.

> Best regards, Stephen
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rob Stradling
> Sent: Thursday, October 02, 2014 5:36 PM
> To: public at cabforum.org
> Subject: [cabfpub] [TRANS] CA survey - CT Precertificate format in 6962-bis
> [Only CABForum members can post to this list, hence why I'm forwarding this message from Melinda Shore]
> Hi, all:
> I co-chair the IETF "trans" working group, which is in the process
> of developing a standards-track specification for certificate
> transparency (logging).  We're trying to get a handle on the
> potential impact of including serial numbers in precertificates.
> Are there CAs who would otherwise implement CT but for whom
> either needing to know the serial number of a certificate prior
> to it being issued, or having to issue a certificate and precertificate
> simultaneously would be 1) a complete non-starter, or 2)
> excessively onerous?
> Thanks,
> Melinda

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list