[cabfpub] Ballot for limited exemption to RFC 5280 for CT implementation

Brian Smith brian at briansmith.org
Thu Sep 18 08:09:15 UTC 2014

On Wed, Sep 17, 2014 at 11:09 PM, kirk_hall at trendmicro.com <
kirk_hall at trendmicro.com> wrote:

>  To deal with the need to define pre-certificates, we could change the
> sentence to read as follows:
> “In order to comply with the requirements of Certificate Transparency, CAs
> may use precertificates *as defined in RFC 6962* and certificates that
> contain the same serial number and are issued from the same Subordinate CA
> Certificate.”

This is not precise enough, because it doesn't say that the contents of the
precertificate with (issuer, serial number) of (O=Example, 1234) must match
the contents of the certificate with the same (issuer, serial number).
Also, it doesn't exclude the possibility of multiple precertificates with
the same (issuer, serial number). Also, RFC 6962 doesn't completely and
unambiguously specify how the contents of a precertificate are compared to
the contents of the final certificate.

Also, is it true that none of these precertificates would use the
"(private)." redaction mechanism from the RFC6962bis? I assume so, since
the redaction mechanism isn't in RFC6962 and is subject to change and/or
even be removed.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140918/cb0c6f04/attachment-0003.html>

More information about the Public mailing list