[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation

Rob Stradling rob.stradling at comodo.com
Thu Sep 18 02:08:00 MST 2014 

On 18/09/14 04:55, Brian Smith wrote:
> On Wed, Sep 17, 2014 at 7:01 PM, Kirk Hall wrote:
>     __
>
>     1. Amend the Definitions as follows:____
>
>     __ __
>
>     Valid Certificate:**A Certificate that passes the validation
>     procedure specified in RFC 5280 */_(except for the limited exemption
>     provided in Appendix B)._/*
>
>
> This seems like a bad and unnecessary idea to me. The trans working
> group is already debating discussing the format of precertificates so
> that they are not syntactically-valid certificates for the
> standards-track CT mechanism. The version of CT Google and the CAs have
> implemented is an experiment, not a standard or proposed standard. The
> CAs can work around this issue by using the OCSP-based CT mechanism
> instead of the precertificate mechanism.

Hi Brian.

It would be great if OCSP Stapling was already deployed sufficiently 
ubiquitously for this workaround to be viable.  Unfortunately, it's 
still not.

> Finally, IIUC, the only
> negative consequence of this that EV certificates won't get the EV
> indicator in Google Chrome. It doesn't affect any other clients, IIUC.

Correct.  However, EV certificate holders really don't want to lose the 
EV indicator in Chrome!

> IMO, it makes more sense to change the experiment than it does to
> (effectively) change the fundamental standards that all CABForum work is
> based on.

Maybe so, but I don't see any sign of Google's CT/EV plan being 
derailed.  Remember, it's already been 3 years since the DigiNotar 
incident...

> Note that the use or non-use of a precertificate signing certificate has
> no bearing (IIUC) on whether the precertificate would be a duplicate of
> the final certificate, because the difference between Option 1 and
> Option 2 doesn't affect the issuer and serial number fields of the
> precertificate.

Not quite.  The Precertificate's serial number is indeed the same with 
both options.  However, the Precertificate's issuer name and AKI are 
different, depending on whether option 1 or 2 is used.

<snip>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list