Re: [Trans] Precertificate format

Brian Smith <brian@briansmith.org> Mon, 08 September 2014 23:14 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 922C91A0278 for <trans@ietfa.amsl.com>; Mon, 8 Sep 2014 16:14:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z1S8Xwj-s9i4 for <trans@ietfa.amsl.com>; Mon, 8 Sep 2014 16:14:14 -0700 (PDT)
Received: from mail-qg0-f45.google.com (mail-qg0-f45.google.com [209.85.192.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 490371A00E4 for <trans@ietf.org>; Mon, 8 Sep 2014 16:14:14 -0700 (PDT)
Received: by mail-qg0-f45.google.com with SMTP id j107so3133060qga.4 for <trans@ietf.org>; Mon, 08 Sep 2014 16:14:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=t9viYKp16tkfnh6Q45HrzdQeEwwsn9ro1z6jSeVEqlc=; b=Fe0I23BW5v6Gc4S0JJ/47ZyRioBtuOW9XeUzoqVjyWowtHrj2lMWlkM97d8SUn09DB lreCrdb0HNOYw0mX/X5LZ0YF06PhxGASHXGZqDmZyK16bYV9PkD4fku2xihruuPXQWdB duo/MqII39dHGrWoYILPWtBNqI8CO/Ksgbj9Bvnsj0/Rn0vMQXY8/rECP1/FVZliAIbC pkXRu0kxYtQqbk1tLQyr+QIOPAUJbEtZCwNdze0SfqzdBqrssm1le+Lpiu/nzb1w5RAF ybh1re0jfGdeSx+yW26WoRKmdpBGU1fVtQbJCuC3eQDkFSIG2zp5LYnd5W8Q1lGrpis5 MGIQ==
X-Gm-Message-State: ALoCoQmZPnUMyvk3h+WVoEAi+ZHhLJIErdBauvWK59B6goZ/Q5prMvvta6K3Zs5jX1Qm6tV+GmfG
MIME-Version: 1.0
X-Received: by 10.140.38.73 with SMTP id s67mr44581717qgs.4.1410218053476; Mon, 08 Sep 2014 16:14:13 -0700 (PDT)
Received: by 10.224.67.133 with HTTP; Mon, 8 Sep 2014 16:14:13 -0700 (PDT)
In-Reply-To: <540E0E90.1070208@bbn.com>
References: <540DFA75.2040000@gmail.com> <540E0E90.1070208@bbn.com>
Date: Mon, 8 Sep 2014 16:14:13 -0700
Message-ID: <CAFewVt5kZqw0-W7PqtFHe7yJUsR9PqVJ6C74ZShgo0qs19wLjA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/0JbMRuBKtW3FxOo5pIk-izXTvBc
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Precertificate format
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 23:14:15 -0000

On Mon, Sep 8, 2014 at 1:16 PM, Stephen Kent <kent@bbn.com> wrote:
> The current pre-cert model requires a CA to be able to issue two certs with
> the same serial number.

The CA may use a Precertificate Signing Certificate to sign the
Precertificate, and then sign the final certificate with the
production CA certificate. Then, there would be no duplicate serial
number issues.

Cheers,
Brian