[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation

Brian Smith brian at briansmith.org
Fri Sep 26 12:34:58 MST 2014


On Fri, Sep 26, 2014 at 3:54 AM, Ben Laurie <benl at google.com> wrote:
> On 26 September 2014 07:43, Man Ho (Certizen) <manho at certizen.com> wrote:
>> Does any existing certificate issuing software support "duplicate"
>> certificate (that mean the issuer, same serial number, same public key,
>> same subject info.) in the system? If not, many CAs will not be able to
>> issue pre-cert.
>
> Pre-certs do not require duplication - you can always issue them via
> an intermediate.

Ben, most of my messages in this thread are about exactly that. The
RFC is ambiguous (at best) about the what the issuer field of a
precertificate signed by a precertificate signing certificate is.
Above, you've chosen one particular interpretation, which is probably
what y'all intended when you wrote the RFC. But, the RFC doesn't
actual say that. In particular, the RFC seems to say that the issuer
field of the precertificate should be the subject of the final issuer,
not the subject of the precertificate signing certificate. And then
the precertificate signing certificate mechanism doesn't solve the
duplicate serial number issue.

Cheers,
Brian


More information about the Public mailing list