[cabfpub] Ballot for limited exemption to RFC 5280 for CT implementation

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Sep 18 01:15:47 MST 2014


Brian – on your last question, Google has indicated it will not accept the “(private)” option, so that is not going to happen.

If you have a proposal for amending the ballot that will accomplish what we are trying to to, we would be very interested!

From: Brian Smith [mailto:brian at briansmith.org]
Sent: Thursday, September 18, 2014 4:09 PM
To: Kirk Hall (RD-US)
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot for limited exemption to RFC 5280 for CT implementation

On Wed, Sep 17, 2014 at 11:09 PM, kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
To deal with the need to define pre-certificates, we could change the sentence to read as follows:

“In order to comply with the requirements of Certificate Transparency, CAs may use precertificates as defined in RFC 6962 and certificates that contain the same serial number and are issued from the same Subordinate CA Certificate.”

This is not precise enough, because it doesn't say that the contents of the precertificate with (issuer, serial number) of (O=Example, 1234) must match the contents of the certificate with the same (issuer, serial number). Also, it doesn't exclude the possibility of multiple precertificates with the same (issuer, serial number). Also, RFC 6962 doesn't completely and unambiguously specify how the contents of a precertificate are compared to the contents of the final certificate.

Also, is it true that none of these precertificates would use the "(private)." redaction mechanism from the RFC6962bis? I assume so, since the redaction mechanism isn't in RFC6962 and is subject to change and/or even be removed.

Cheers,
Brian

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140918/e9307a14/attachment.html 


More information about the Public mailing list