[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation
Brian Smith
brian at briansmith.org
Thu Sep 18 14:04:07 MST 2014
On Thu, Sep 18, 2014 at 2:08 AM, Rob Stradling <rob.stradling at comodo.com> wrote:
> On 18/09/14 04:55, Brian Smith wrote:
> It would be great if OCSP Stapling was already deployed sufficiently
> ubiquitously for this workaround to be viable. Unfortunately, it's still
> not.
There's no way for me to access the accuracy of that statement. Also,
your definition of "viable" is very different than mine, because I
think browsers shouldn't show the EV indicator unless there's a
stapled OCSP response, *regardless* of CT. (The only useful thing
about EV is its effect on encouraging CT adoption.)
>> Finally, IIUC, the only
>> negative consequence of this that EV certificates won't get the EV
>> indicator in Google Chrome. It doesn't affect any other clients, IIUC.
>
> Correct. However, EV certificate holders really don't want to lose the EV
> indicator in Chrome!
That's a private matter between the CAs and Google.
>> IMO, it makes more sense to change the experiment than it does to
>> (effectively) change the fundamental standards that all CABForum work is
>> based on.
>
> Maybe so, but I don't see any sign of Google's CT/EV plan being derailed.
> Remember, it's already been 3 years since the DigiNotar incident...
Again, that's between Google and the CAs in its program.
>> Note that the use or non-use of a precertificate signing certificate has
>> no bearing (IIUC) on whether the precertificate would be a duplicate of
>> the final certificate, because the difference between Option 1 and
>> Option 2 doesn't affect the issuer and serial number fields of the
>> precertificate.
>
>
> Not quite. The Precertificate's serial number is indeed the same with both
> options. However, the Precertificate's issuer name and AKI are different,
> depending on whether option 1 or 2 is used.
No. Read section 3.2 very carefully; in particular, note all the
mentions of "final certificate" and "Note that it is also possible to
reconstruct this TBSCertificate from the final certificate by
extracting the TBSCertificate from it and deleting the SCT extension."
Regardless, this type of confusion is why it is important to be
careful and precise in specifying things.
Cheers,
Brian
More information about the Public
mailing list