[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation

Tim Shirley TShirley at trustwave.com
Fri Sep 19 01:47:20 UTC 2014

>> That's confusing, but since it is said that the "tbs_certificate" is
>> without the poison extension, and the CA MUST include this extension,
>> then this "tbs_certificate" does NOT reflect what the CA produced and
>> sent. Thus, this "tbs_certificate" is modified by the log
>> (modifications
>> listed: issuer name and AKI), and the result is then signed by the log.
>Thanks for explaining that. It is helpful to know why people disagree.
>However, I still think I am right. I agree it is strange that section
>3.2 doesn't say anything about the poison extension. But, I think it is a big leap to infer from that omission that the precertifcate's issuer and AKI must be the subject and SKI of the precertificate >signing certificate.

It isn't just that it doesn't say anything about the poison extension though.  It specifically states that the issuer name and AKI will be changed to match the final issuer.  Why would it mention them being changed if they weren't different than the final issuer's in the first place?


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

More information about the Public mailing list