[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation

Brian Smith brian at briansmith.org
Fri Sep 26 19:32:12 UTC 2014 

On Thu, Sep 25, 2014 at 2:57 AM, Ben Laurie <benl at google.com> wrote:
> It seems to me the important point is not exactly what goes in a
> precert vs. a cert, but the fact that a precert is unusable as a cert.
> So, I'd suggest the language says that its OK to issue a cert with the
> same issuer/serial number as another cert if and only if the
> "duplicate" cert contains the CT poison extension. Or perhaps more
> precisely, of all the certs with the same serial number/issuer, only
> one does _not_have the poison extension.

The point of this ballot is that precertificates are supposed to be
treated like certificates, except that they can duplicate the serial
numbers of other certificates from the same issuer. There are a lot of
surprising consequences of that. For example, if a precertificate is
"mis-issued" then it needs to be revoked, even though it has the
poison extension. This, and probably other things, can cause trouble
if the contents of the precertificate are substantially different than
the contents of the real certificate for which it is a duplicate
according to the serial number/issuer. In order to minimize the
chances of such unintended negative consequences, it is best to
further constrain the contents of a precertificate to be exactly the
contents of the certificate for which it is supposed to correspond.

For example, let's say there is a precertificate (something with the
poison extension) for foo.com, and there is a certificate (without the
poison extension) for bar.com, and that both have the same serial
number and issuer. That should be allowed according to you. But, the
consequence is that revoking the precertificate for foo.com would
adversely affect bar.com. I think it is unnecessary to allow such bad
situations to occur.

Again, I am sorry to be pedantic about this, but I think it is
important to narrow the scope of the exception as much as possible, to
minimize the possibility that it would have such negative
consequences.

Cheers,
Brian

More information about the Public mailing list