Re: [Trans] Precertificate format

Erwann Abalea <eabalea@gmail.com> Mon, 15 September 2014 13:27 UTC

Return-Path: <eabalea@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06ACC1A0340 for <trans@ietfa.amsl.com>; Mon, 15 Sep 2014 06:27:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPt-FbceP_rn for <trans@ietfa.amsl.com>; Mon, 15 Sep 2014 06:27:11 -0700 (PDT)
Received: from mail-vc0-x229.google.com (mail-vc0-x229.google.com [IPv6:2607:f8b0:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A2071A034A for <trans@ietf.org>; Mon, 15 Sep 2014 06:27:11 -0700 (PDT)
Received: by mail-vc0-f169.google.com with SMTP id ij19so3418613vcb.0 for <trans@ietf.org>; Mon, 15 Sep 2014 06:27:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=o56AqDj3FHyYYdcPNEdzR9+7GS27n+IZ+ccUvp4/vpM=; b=s1yJqifR5pBZyXFEoBJREcHYCDxL64ForKCPdzHxvLbEsM8zYyavEE/NGXaBN36Q4m adZAV3ttAemZb3Mc8P4YaHahWgFAxjFZihfIeLm2iOGsNrdE/vJZ1SshjKOfo/n6rzss DgoSN/ug4Hj08RycYgxW5vlSLt7cJyhAkzLDirAqJ/MCz+EijO/et11pv378S7ZijcsS 8oNv9+pEu/WVW69128Zgt9d6qLfT9ygpKWm/sre93eGD0IfjklwiAvAzhZ9VhkPY2V27 PyT3aDzsDBa+eMPTUeVy8dylAXo9JD8eFlT/zeqZUBrHa834dB8vadyKia7ojXSdM/oW l6Hw==
MIME-Version: 1.0
X-Received: by 10.220.168.74 with SMTP id t10mr23353592vcy.35.1410787630632; Mon, 15 Sep 2014 06:27:10 -0700 (PDT)
Received: by 10.52.241.4 with HTTP; Mon, 15 Sep 2014 06:27:10 -0700 (PDT)
In-Reply-To: <5416B216.6050904@comodo.com>
References: <540DFA75.2040000@gmail.com> <540E0E90.1070208@bbn.com> <540E28FD.7050809@gmail.com> <540ECD3A.4040704@primekey.se> <540F4598.5010505@bbn.com> <CABrd9SSg5=wuierLoqAU00pMHxgGx+=ai5mHv4u5t6zm43yDWg@mail.gmail.com> <5410779A.20209@bbn.com> <CABrd9STnjqDBF4-5ABJ86M_d0bwRyjRNjRW6Hnj9UpeYC7Xz9A@mail.gmail.com> <5411BDE4.1060508@bbn.com> <CABrd9STAHzg_KJi=nA7hsvz+k0SMS+bg6c3hcBtUwfOUm=hqTQ@mail.gmail.com> <5411E6B4.5040401@bbn.com> <02c365fdc2b8478fb78f310382ae0bb7@EX2.corp.digicert.com> <CA+i=0E4bKzn6DB73H7p8k+kDyrku54WhU5ZFcA2g5zY69Kn-Hg@mail.gmail.com> <5416B216.6050904@comodo.com>
Date: Mon, 15 Sep 2014 15:27:10 +0200
Message-ID: <CA+i=0E6svuD8RGNWqHaywtGm17JWz7Mw005OhRbnb+hPDrdrSw@mail.gmail.com>
From: Erwann Abalea <eabalea@gmail.com>
To: Rob Stradling <rob.stradling@comodo.com>
Content-Type: multipart/alternative; boundary="001a11c2bb1e93d49105031a976f"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/a7W7teT-xmsWf-ftQCqF4Sk2vJU
Cc: "trans@ietf.org" <trans@ietf.org>, Jeremy Rowley <jeremy.rowley@digicert.com>
Subject: Re: [Trans] Precertificate format
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Sep 2014 13:27:13 -0000

2014-09-15 11:32 GMT+02:00 Rob Stradling <rob.stradling@comodo.com>:

> On 12/09/14 20:26, Erwann Abalea wrote:
>
>> [...]
>> It can only work if the log signs the content (=TBSCertificate) and not
>> the whole CMS, thus ignoring the PreCert issuer signature. Leaving that
>> signature aside isn't more risky than it is now because it's already the
>> case (the log removes the poison extension before signing the resulting
>> certificate, right?).
>>
>
> Yes.  The log removes the poison extension, and (if a Precertificate
> Signing Certificate was used) it also changes the issuer name and AKI to
> match those of the final certificate's issuing CA.  This behaviour can
> remain the same.
>

Concerning these last changes (issuer name and AKI), are they under the
responsibility of the certificate issuer, or of the log signer?
My understanding was that it's the issuer's job. AKI being a variable
extension, how could the log know which one of {issuerName+serialNumber},
{keyIdentifier}, {issuerName+serialNumber+keyIdentifier} content will be
found in the final certificate?
If it's the log signer's job, then in the PreCert signing certificate
situation, there's no non-conformance to RFC5280 (regarding to
issuerName+serialNumber uniqueness).

-- 
Erwann.