Re: [Trans] Prior knowledge of certificate serial number

Rick Andrews <> Wed, 24 September 2014 19:06 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A0D471A036B for <>; Wed, 24 Sep 2014 12:06:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.687
X-Spam-Status: No, score=-7.687 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xNVczjH-vOnF for <>; Wed, 24 Sep 2014 12:06:03 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3D1271A036D for <>; Wed, 24 Sep 2014 12:06:03 -0700 (PDT)
X-AuditID: d80ac3f3-f790d6d00000101f-ce-54231618c016
Received: from ( []) by (Symantec Brightmail Gateway out) with SMTP id 7F.D6.04127.81613245; Wed, 24 Sep 2014 20:06:00 +0100 (BST)
Received: from [] (helo=TUS1XCHHUBPIN03.SYMC.SYMANTEC.COM) by with esmtp (Exim 4.76) (envelope-from <>) id 1XWrt1-0007EH-1t; Wed, 24 Sep 2014 19:05:59 +0000
Received: from TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM ([]) by TUS1XCHHUBPIN03.SYMC.SYMANTEC.COM ([]) with mapi; Wed, 24 Sep 2014 12:05:52 -0700
From: Rick Andrews <>
To: Melinda Shore <>, "" <>
Date: Wed, 24 Sep 2014 12:05:51 -0700
Thread-Topic: [Trans] Prior knowledge of certificate serial number
Thread-Index: Ac/XSKMH5T64Oi2nT2WsKPjTSOYIsQA3q1yw
Message-ID: <544B0DD62A64C1448B2DA253C011414607D1408063@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprFIsWRmVeSWpSXmKPExsVyg+vQb10JMeUQg1sH9Sza2maxWKx9fJHF gclj56y77B5LlvxkCmCK4rJJSc3JLEst0rdL4Mpo/9rCVPCHv+L3GcMGxl88XYycHBICJhLN +64xQdhiEhfurWfrYuTiEBJ4xyjx8N1CKOcVo8S2/a9ZQKqEBFYxSky6JAViswnoSWx5fIUd xBYR8JPovvyIGcRmEVCVuLT9CRuILSzgKHFi+SVWiBonielfOqHqjSQm/D7HCGLzCkRJvFt3 gx1ivobEtZc3geo5ODgFNCWOLwYbyQh03PdTa8AOZRYQl7j1ZD7U0QISS/acZ4awRSVePv7H ClEvKnGnfT0jRL2OxILdn9ggbG2JZQtfM0OsFZQ4OfMJC0SvpMTBFTdYJjCKz0KyYhaS9llI 2mchaV/AyLKKUaaktNiwOLckv7SkILXCwFivuDI3ERhfyXrJ+bmbGMExdvjzDsbfexwPMQpw MCrx8M7iUQ4RYk0sA6o8xCjBwawkwqvyUSlEiDclsbIqtSg/vqg0J7X4EKM0B4uSOG9ICEeI kEB6YklqdmpqQWoRTJaJg1OqgVFy2o3eOw2660zT11nObv2q2Pu86cX7Rd1c8xfVZ4s03b2w 34Fz91P75nMXrztlZUf187iJnF1xfd/jH3efVtbKzN61I1b7xN37VpqKXuyK286YvfDaPe36 /e2P6xNXTPkyI8jHqjg/LmfFwZApa18186yYvvaD1IZdm4/u+1r/NnrJ9TVCU17OUmIpzkg0 1GIuKk4EAEnFMbGtAgAA
Subject: Re: [Trans] Prior knowledge of certificate serial number
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Sep 2014 19:06:08 -0000


At Symantec we know the serial number prior to issuance, because we generate it and put it in the TBSCertficate.

The only problem we have with serial numbers is in the case where we fail to get enough SCTs to put in the cert. We'll retry the operation up to 48 hours, but we always want to set the notBefore date to the day we issue the cert, so we don't short-change customers (believe me, there are customers who notice). But if we update the notBefore date and retry the logging operation, we have to change the serial number too. Otherwise we might log different certs with the same serial number in different logs, and that would be inconsistent. However, we use the combination of issuer name and serial number as a unique key for that order in our database, so changing serial numbers is challenging. The simpler alternative is to reject the order and ask the customer to start over, but that's a bad customer experience. We're not sure yet how we'll solve this, but we'll figure something out (we don't expect 6962-bis to provide a solution). And while we hope that this situation will occur very rarely, it could happen, so we're preparing for it.


-----Original Message-----
From: Trans [] On Behalf Of Melinda Shore
Sent: Tuesday, September 23, 2014 9:08 AM
Subject: [Trans] Prior knowledge of certificate serial number

One of the questions that's come up is whether or not it's reasonable to expect that CAs will (or can) have knowledge of a certificate's serial number prior to issuance - it's one of the basic questions that needs to be considered in the context of the precertificate discussions.
We'd be grateful if any CAs (particularly ones with a CT implementation either in the works or planned) could give some feedback on that.



Trans mailing list