Re: [Trans] making progress on precertificate discussion

Stephen Kent <> Fri, 03 October 2014 19:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4E1D51A6FB3 for <>; Fri, 3 Oct 2014 12:26:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.987
X-Spam-Status: No, score=-4.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hAS0GKlV2BEq for <>; Fri, 3 Oct 2014 12:26:55 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DC8081A0034 for <>; Fri, 3 Oct 2014 12:26:54 -0700 (PDT)
Received: from ([]:51275 helo=comsec.home) by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1Xa8VQ-0000ra-NO for; Fri, 03 Oct 2014 15:27:08 -0400
Message-ID: <>
Date: Fri, 03 Oct 2014 15:26:51 -0400
From: Stephen Kent <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Trans] making progress on precertificate discussion
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Oct 2014 19:26:56 -0000


> Hi, all:
> Problems around precertificate contents and formats were among
> the things we first discussed when the working group was chartered,
> and here we are, still at it.  There are basically two problems
> that fall under the "precertificate" rubric: 1) whether or not
> it's possible/reasonable to include a certificate's serial number
> (as this implies that the issuer will know in advance what the
> serial number will be), and 2) encoding/representation.  There's
> a general sense that the first *seems* like it ought to be a
> problem, but we haven't had CAs stepping forward saying that
> this would prevent them from being able to implement and
> would be unacceptably onerous for them.  Instead, we're hearing
> reports of at least one major CA solving the problem by
> simultaneously issuing precertificates and certs.
I'm confused by the last sentence above. One can issue a cert at the
same time a pre-cert is issued, but the cert does not contain the
SCT that will be generated by the log, so the parallel issuance seems 
and I'm not sure how it helps.
> Given the lack of new information and lack of new technical
> arguments, I think we need to close the serial number aspect of
> the discussion and go ahead with continuing to include it in
> precertificates.  This is the IETF and nearly any decision can
> be revisited with the introduction of new information or a new,
> compelling argument.  But in the meantime we need to move forward,
> so let's close this one and move on to trying to close the encoding
> discussion.
I'd feel more comfortable on this topic if we had the results
of the CABF member poll I suggested. Is there any progress on
that front?