Re: [Trans] Precertificate format

Stephen Davidson <> Mon, 20 October 2014 13:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 12AC71A8769 for <>; Mon, 20 Oct 2014 06:39:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.3
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id P1Z1i1yk4hat for <>; Mon, 20 Oct 2014 06:39:24 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C19591A877F for <>; Mon, 20 Oct 2014 06:37:49 -0700 (PDT)
Received: from QVGOEX01.qvglobal.local ([fe80::4c66:d515:bd1e:6a22]) by qvgoex01.qvglobal.local ([fe80::4c66:d515:bd1e:6a22%10]) with mapi id 14.03.0181.006; Mon, 20 Oct 2014 10:34:43 -0300
From: Stephen Davidson <>
To: Ben Laurie <>, "" <>
Thread-Topic: [Trans] Precertificate format
Thread-Index: AQHP6VLgU6eU5in8gU2ughrEJe66iJw5AnFA
Date: Mon, 20 Oct 2014 13:34:43 +0000
Message-ID: <CAA5A5DD4103604CBCF5A9DFEA0E75D19F0C03C6@qvgoex01.qvglobal.local>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0014_01CFEC51.DBCB8CD0"
MIME-Version: 1.0
Subject: Re: [Trans] Precertificate format
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Oct 2014 13:39:26 -0000


What do you propose re the launch of CT in Chrome?  It would be preferable to 
have the actual CT implementation match the CT standard rather than for CAs to 
have to rejig the logging later.

Kind regards,


From: Trans [] On Behalf Of Ben Laurie
Sent: Thursday, October 16, 2014 12:07 PM
Subject: [Trans] Precertificate format

We (the 6962-bis editors) would like to propose that we replace the existing 
precertificate formats with a TBSCertificate wrapped in PKCS#7. This lays to 
rest, we think, any possible confusion with X509v3 certs, whilst allowing a 
simple mapping between the final cert and the pre-cert.

Obviously there are details to be nailed down, but before we do so, we'd like 
to hear any discussion on the general idea.