[cabfpub] Ballot for limited exemption to RFC 5280 forCTimplementation

Rob Stradling rob.stradling at comodo.com
Fri Sep 19 08:23:57 UTC 2014

On 19/09/14 07:04, Erwann Abalea wrote:
> The logic:
>    - CA produces a PreCert by including the poison extension
>    - log extracts the TBSCertificate from the PreCert, removes the poison
> extension, and changes issuer and AKI if the PreCert was issued under a
> PreCert Signing Certificate => the PreCert and what is signed by the log
> are now different (signature and signatureAlgorithm have been removed,
> poison extension has been removed, issuer and AKI has been changed if
> PreCert issuer is different than the final CA)
>    - log signs this result and sends the SCT back to the publisher
>    - CA includes a set of SCT in the final certificate
> Later:
>    - the browser receives the final certificate
>    - it extracts the TBSCertificate from it, takes the content of the SCT
> extension apart (keeps it for future use) and removes the extension
>    - it verifies the resulting modified TBSCertificate against the
> signatures contained in the SCT extension it kept => if issuer and AKI
> weren't changed by the log, this verification would always fail if
> PreCert SC is different than final CA, and the browser can't know what
> these values were before modifications

Thanks Erwann.  This logic is exactly correct.  The test cases in the 
certificate-transparency.org code demonstrate that this is correct.

Brian's error (which I shared until Emilia corrected me privately last 
week, and which you also shared until I corrected you on TRANS earlier 
this week) is in thinking that the AKI and Issuer modifications are done 
by the CA and are reflected in the Precertificate.  They're not. 
They're done by the log when it transforms the Precertificate's 
TBSCertificate into the "modified TBSCertificate".
(When a Precertificate Signing Certificate signs a Precertificate, that 
Precertificate's Issuer and AKI match the Precertificate Signing 
Certificate's Subject and SKI).

When verifying a precert_entry SCT, a TLS Client needs to reconstruct 
the "modified TBSCertificate", *NOT* the Precertificate's TBSCertificate.

Since we've each independently reached the same wrong conclusion on this 
issue and have needed to be corrected, I think we can safely say that 
relevant text in RFC6962 is insufficiently clear!

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list