Re: [Trans] Alternate formats for Precertificates
Tomas Gustavsson <tomas@primekey.se> Wed, 26 February 2014 16:48 UTC
Return-Path: <tomas@primekey.se>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DF371A019B for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 08:48:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q3-hwg-5xUMd for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 08:48:24 -0800 (PST)
Received: from mail.primekey.se (mail.primekey.se [213.179.18.11]) by ietfa.amsl.com (Postfix) with ESMTP id 421C91A0696 for <trans@ietf.org>; Wed, 26 Feb 2014 08:48:20 -0800 (PST)
Received: from mail.primekey.se (localhost [127.0.0.1]) by mail.primekey.se (Postfix) with ESMTP id D384945C00CD; Wed, 26 Feb 2014 17:49:33 +0100 (CET)
Received: from [192.168.1.107] (c-50-184-94-125.hsd1.ca.comcast.net [50.184.94.125]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.primekey.se (Postfix) with ESMTPSA id 35FB645C00B8; Wed, 26 Feb 2014 17:49:33 +0100 (CET)
Message-ID: <530E1AD0.9020401@primekey.se>
Date: Wed, 26 Feb 2014 08:48:16 -0800
From: Tomas Gustavsson <tomas@primekey.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Ben Laurie <benl@google.com>
References: <CABrd9SSOmEgbTvLNw5bPN2SnKbob800qEecn+tHvZUkrghFcQg@mail.gmail.com> <530E100A.7040503@primekey.se> <530E142A.90007@comodo.com> <530E16CD.6030908@primekey.se> <CABrd9SR1S7Fg5Xs_dkgou3HfF4O_hyzFxW4qS=-2eti7DmGZew@mail.gmail.com>
In-Reply-To: <CABrd9SR1S7Fg5Xs_dkgou3HfF4O_hyzFxW4qS=-2eti7DmGZew@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/VnRmk1VerHu24kDTCeAewgzK38s
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Alternate formats for Precertificates
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 16:48:28 -0000
<snip> >>>> >>>> I don't know why I did not think of this earlier, since I use it all the >>>> time. CMP with CRMF is used in many systems in production. Card >>>> management, LTE base stations (3GPP standardization), some routers etc. >>>> >>>> Re-using existing RFC always feels good :-) >>> >>> >>> RFC4211 says: >>> "The fields of CertRequest have the following meaning: >>> ... >>> serialNumber MUST be omitted. This field is assigned by the CA >>> during certificate creation. >>> >>> signingAlg MUST be omitted. This field is assigned by the CA >>> during certificate creation." >>> >>> So that's two ways we would need to violate RFC4211 in order to use its >>> CertTemplate format for Precertificates. >> >> >> Seems like very minor violations to me. In addition using CRMF would remove >> the need for the poison certificate extension. CRMF also gives more >> flexibility as you (RFC 6962 that is) can choose which fields to include >> and/or exclude, potentially answering to questions like privacy issues and >> such. > > We're only discussing alternatives to avoid breaking ritual compliance > with the RFC, so selecting another one we have to violate hardly seems > like forward motion. Just bringing some more alternatives to the table. I'm sure modifying RFC4211 is easier than modifying RFC5280 ;-) >> >>> >>> In contrast, allowing a Precertificate/Certificate pair to use the same >>> serial number only violates RFC5280 in one way. (Oh, and to me, reusing >>> the TBSCertificate format feels good too! ;-) )
- [Trans] Alternate formats for Precertificates Ben Laurie
- Re: [Trans] Alternate formats for Precertificates Phillip Hallam-Baker
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson
- Re: [Trans] Alternate formats for Precertificates Goulet, Walter
- Re: [Trans] Alternate formats for Precertificates Rob Stradling
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson
- Re: [Trans] Alternate formats for Precertificates Ben Laurie
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson
- Re: [Trans] Alternate formats for Precertificates Paul Hoffman
- Re: [Trans] Alternate formats for Precertificates Carl Wallace
- Re: [Trans] Alternate formats for Precertificates Paul Hoffman
- Re: [Trans] Alternate formats for Precertificates Carl Wallace
- Re: [Trans] Alternate formats for Precertificates Melinda Shore
- Re: [Trans] Alternate formats for Precertificates Robin Alden
- Re: [Trans] Alternate formats for Precertificates Rob Stradling
- Re: [Trans] Alternate formats for Precertificates Rob Stradling
- Re: [Trans] Alternate formats for Precertificates Tomas Gustavsson