[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Ryan Sleevi sleevi at google.com
Tue Oct 8 15:21:40 MST 2019

On Tue, Oct 8, 2019 at 6:17 PM Kirk Hall via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Because Ballot 134 was mentioned (it added a provision that stated that a
> pre-certificate is not a certificate under RFC 5280), here is the history
> of Ballot 134, which.  The ballot was intended to solve a problem so CT
> could move forward.  If I recall correctly, the problem was RFC 5280
> prohibits two “certificates” from having the same Serial Number, which a
> pre-certificate and the resulting certificate have.

Right, there was significant, extensive debate about whether this was the
case. I maintain still that it's not. The endorsement of the Ballot by
Google was noted with that caveat on the list.

>   The solution that was favored was to define a CT pre-certificate as not
> being a “certificate” under RFC 5280, and thereby avoid the conflict and
> allow CT to proceed.

Right, and alternative proposals were offered, by Brian Smith (then at
Mozilla), pointing out the benefit of language closer to what Wayne is
proposing, because of the potential loopholes that would permit
non-compliant issuance (as we've seen some CAs refer to, unrelated to
this), as well as confusion around the expectation of provision of services
(as we see most recently re: OCSP).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191008/84ea0076/attachment.html>

More information about the Servercert-wg mailing list