Re: [Trans] Precertificate format
Carl Wallace <carl@redhoundsoftware.com> Tue, 09 September 2014 16:20 UTC
Return-Path: <carl@redhoundsoftware.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C6961A6FF6 for <trans@ietfa.amsl.com>; Tue, 9 Sep 2014 09:20:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gE29D_PR_Trp for <trans@ietfa.amsl.com>; Tue, 9 Sep 2014 09:20:26 -0700 (PDT)
Received: from mail-qg0-f50.google.com (mail-qg0-f50.google.com [209.85.192.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2E661A6FE9 for <trans@ietf.org>; Tue, 9 Sep 2014 09:20:26 -0700 (PDT)
Received: by mail-qg0-f50.google.com with SMTP id z60so2191318qgd.23 for <trans@ietf.org>; Tue, 09 Sep 2014 09:20:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=S1cGrg/WyjgDktogrVZ61pQQAVKcVg5ZaKVXRzW+d2E=; b=R2rcEfnveVYo8JZLhRJ+hB2YQB26mVvK9TE5U1eCl/0erfP7g0Tl1sZwiWMMCBixA6 D2cR/bJRY2vz6sQO9mbrvXYi/Lb78ZP3PB1wz1M1Ur7pulWa5CSdu3PHw0PWb9XmdnU8 RVB/Keotegh8Ork/BbeoxGrj4hrtvh2Ccd6HwYz96H0t56vofRvbEVHn6Waxgv9Bv5iR yMLRSNA41GVPDERaPUli7NLlDWYV/Hoj7dKO9G8eQuBTUQAwHxIeZFnUFGunFc4Offjs PZHBNQDmz0vu37R0TVuEJ/aqfWcH2YbxIOUa1ObPuycU1BtmAJ6aNVifIL29H+A6d3Ul Id4Q==
X-Gm-Message-State: ALoCoQl8w5AJ83GVBvm4V2bLOAKEwS6h/likIkA2duXkFUgNhxBqgnYiS5xaTatnwatw106lajHH
X-Received: by 10.229.65.135 with SMTP id j7mr8357622qci.22.1410279624136; Tue, 09 Sep 2014 09:20:24 -0700 (PDT)
Received: from [192.168.2.2] (pool-173-79-132-199.washdc.fios.verizon.net. [173.79.132.199]) by mx.google.com with ESMTPSA id t67sm10175442qge.13.2014.09.09.09.20.22 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 09 Sep 2014 09:20:23 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.4.3.140616
Date: Tue, 09 Sep 2014 12:18:57 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Ben Laurie <benl@google.com>
Message-ID: <D0349DEB.216FE%carl@redhoundsoftware.com>
Thread-Topic: [Trans] Precertificate format
References: <540DFA75.2040000@gmail.com> <540E0E90.1070208@bbn.com> <CAFewVt5kZqw0-W7PqtFHe7yJUsR9PqVJ6C74ZShgo0qs19wLjA@mail.gmail.com> <544B0DD62A64C1448B2DA253C011414607D07DC251@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SR_5aLs8fjxvExp_=wZsj6oPCKZeDhe4uJFwuFE4jkDFA@mail.gmail.com>
In-Reply-To: <CABrd9SR_5aLs8fjxvExp_=wZsj6oPCKZeDhe4uJFwuFE4jkDFA@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/O6KnqZqQWiGvDk5XUIkpN0qkbQU
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Precertificate format
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 16:20:29 -0000
On 9/9/14, 8:07 AM, "Ben Laurie" <benl@google.com> wrote: >On 9 September 2014 00:24, Rick Andrews <Rick_Andrews@symantec.com> wrote: >>> The CA may use a Precertificate Signing Certificate to sign the >>>Precertificate, and then sign the final certificate with the production >>>CA certificate. Then, there would be no duplicate serial number issues. >> >> Brian, even if the CA uses a Precert signing cert, the precert's issuer >>name has to be that of the ultimate issuer, and the serial number has to >>be that of the ultimate certificate, so I don't think that solves the >>problem. > >Surely it does, since it is actually signed by the precert signing >cert. I think the point above is that the issuerName/serialNumber is what is required to be unique, not issuer’s public key/serial number. >Changing the issuer name just means its even less of a conflict, >since it then shouldn't even validate according to normal rules. It may be worth requiring the pre-certificate signing certificate to omit the basicConstraints extension to further reduce conflict. Different question, why must the SKID in the pre signing certificate match the AKID in the TBSCertificate (as noted in 3.3)? Seems like a bad idea to have the same SKID in both the pre-certificate signing certificate and in the real CA certificate. Allowing the SKID be calculated as per normal and placing the SKID of the final issuer in a SAN may be a better approach.
- [Trans] Precertificate format Melinda Shore
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Melinda Shore
- Re: [Trans] Precertificate format Brian Smith
- Re: [Trans] Precertificate format Rick Andrews
- Re: [Trans] Precertificate format Hill, Brad
- Re: [Trans] Precertificate format Matt Palmer
- Re: [Trans] Precertificate format Matt Palmer
- Re: [Trans] Precertificate format Eran Messeri
- Re: [Trans] Precertificate format Tomas Gustavsson
- Re: [Trans] Precertificate format Rob Stradling
- Re: [Trans] Precertificate format Ben Laurie
- Re: [Trans] Precertificate format Carl Wallace
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Ben Laurie
- Re: [Trans] Precertificate format Hill, Brad
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Brian Smith
- Re: [Trans] Precertificate format Hill, Brad
- Re: [Trans] Precertificate format Brian Smith
- Re: [Trans] Precertificate format Brian Smith
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Brian Smith
- Re: [Trans] Precertificate format Kyle Hamilton
- Re: [Trans] Precertificate format Watson Ladd
- Re: [Trans] Precertificate format Tomas Gustavsson
- Re: [Trans] Precertificate format Rob Stradling
- Re: [Trans] Precertificate format Rob Stradling
- Re: [Trans] Precertificate format Ben Laurie
- Re: [Trans] Precertificate format Rob Stradling
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Melinda Shore
- Re: [Trans] Precertificate format Melinda Shore
- Re: [Trans] Precertificate format Ben Laurie
- Re: [Trans] Precertificate format Rob Stradling
- Re: [Trans] Precertificate format Ben Laurie
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Ben Laurie
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Jeremy Rowley
- Re: [Trans] Precertificate format Erwann Abalea
- Re: [Trans] Precertificate format Rob Stradling
- Re: [Trans] Precertificate format Erwann Abalea
- Re: [Trans] Precertificate format Rob Stradling
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Rob Stradling
- Re: [Trans] Precertificate format Erwann Abalea
- [Trans] Precertificate format Ben Laurie
- Re: [Trans] Precertificate format Melinda Shore
- Re: [Trans] Precertificate format Stephen Davidson
- Re: [Trans] Precertificate format Ben Laurie
- [Trans] Fwd: Precertificate format Erwann Abalea
- Re: [Trans] Fwd: Precertificate format Ben Laurie
- Re: [Trans] Precertificate format Stephen Kent
- Re: [Trans] Precertificate format Russ Housley
- Re: [Trans] Precertificate format Rob Stradling