[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Kirk Hall Kirk.Hall at entrustdatacard.com
Tue Oct 8 15:17:42 MST 2019

Because Ballot 134 was mentioned (it added a provision that stated that a pre-certificate is not a certificate under RFC 5280), here is the history of Ballot 134, which.  The ballot was intended to solve a problem so CT could move forward.  If I recall correctly, the problem was RFC 5280 prohibits two “certificates” from having the same Serial Number, which a pre-certificate and the resulting certificate have.  The solution that was favored was to define a CT pre-certificate as not being a “certificate” under RFC 5280, and thereby avoid the conflict and allow CT to proceed.

I was the ballot proposer in October 2014, and Ben Wilson of DigiCert and Ryan Sleevi of Google were endorsers.  It passed by 3 yes votes among the browsers (Google, Mozilla, Opera) and 17 yes votes among CAs.  OpenTrust was the only CA to vote no.  Here is the ballot from our wiki.

Ballot 134 - Application of RFC 5280 to Precertificates

Kirk Hall of Trend Micro made the following motion, and Ben Wilson of Digicert and Ryan Sleevi from Google have endorsed it.

Reason for Ballot

CAs are implementing Certificate Transparency (CT) based on RFC 6962, which contains the concept of pre-certificates. The current Baseline Requirements require all certificates to comply with RFC 5280. (See Definition of “Valid Certificate” and references to RFC 5280 in Appendix B.) For some implementations, there is a potential dilemma if the pre-certificate and the production certificate are issued from the same sub-CA and both have the same Serial Number, not permitted under RFC 5280. Given that CAs will likely be implementing CT before potential technical differences can be worked out, the purpose of this ballot is to allow CAs to meet CT deadlines without violating the Baseline Requirements requiring compliance with RFC 5280.

– Motion Begins –

Effective immediately, the title to Appendix B of the Baseline Requirements shall be amended as follows:

  *   Appendix B – Certificate Content and Extensions; Application of RFC 5280 (Normative)
  *   This appendix specifies  additional requirements for Certificate content and extensions for Certificates generated after the Effective Date.

and a new subsection (5) will be added as follows:

(5) Application of RFC 5280

For purposes of clarification, a Precertificate as described in RFC 6962 – Certificate Transparency shall not be considered to be a “certificate” subject to the requirements of RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile under these Baseline Requirements.

– Motion Ends –
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191008/c23b14ba/attachment-0001.html>

More information about the Servercert-wg mailing list