[Trans] Precertificate format

Melinda Shore <melinda.shore@gmail.com> Mon, 08 September 2014 18:50 UTC

Return-Path: <melinda.shore@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 776FA1A0307 for <trans@ietfa.amsl.com>; Mon, 8 Sep 2014 11:50:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pHMdYoIeV0dc for <trans@ietfa.amsl.com>; Mon, 8 Sep 2014 11:50:32 -0700 (PDT)
Received: from mail-pa0-x230.google.com (mail-pa0-x230.google.com [IPv6:2607:f8b0:400e:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0043A1A0306 for <trans@ietf.org>; Mon, 8 Sep 2014 11:50:31 -0700 (PDT)
Received: by mail-pa0-f48.google.com with SMTP id hz1so6348769pad.21 for <trans@ietf.org>; Mon, 08 Sep 2014 11:50:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=RXmqN0MANXR/4CBf7lSutaRCpn1Iy2A9bvTdp7U9EPs=; b=pyl+wskXa+2RZNFSzasBrZmdDdT75vMU1OBSAPX1gY5wKcPNwA63kAklY4LL5qwJuc oxQ1rNt5uQohThPzrPCtW1vBWVbAh4upv/gTCniU3KFDHVxlPdHGslg6AAUoUyBIuxKp d2/iUEwDPV4DUN6Njna0WlkMntyMKL7m9AzTqZ/vkhWDxi10wCeA7/5dhC/vA83Cdq4S 1uudFBGfwiqeyGOu9kjko7X9QyuzLKHBitzgWXs0giyOn8V0OxbEvdzqOPnGFjR7KDvK CWM/Ue75IO6CBnOBajYNj1BuZNA8pXog0Sbpbjf40vmULBGv2HqjLBT+CMw3hAGZYL+O 6Dbw==
X-Received: by 10.66.240.197 with SMTP id wc5mr28813898pac.87.1410202231639; Mon, 08 Sep 2014 11:50:31 -0700 (PDT)
Received: from spandex.local (69-161-3-58-rb2.sol.dsl.dynamic.acsalaska.net. [69.161.3.58]) by mx.google.com with ESMTPSA id e11sm9681613pdm.47.2014.09.08.11.50.30 for <trans@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 08 Sep 2014 11:50:31 -0700 (PDT)
Message-ID: <540DFA75.2040000@gmail.com>
Date: Mon, 08 Sep 2014 10:50:29 -0800
From: Melinda Shore <melinda.shore@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: "trans@ietf.org" <trans@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/dzLRR90ajWnseZvL8xVZR-Rt8v4
Subject: [Trans] Precertificate format
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 18:50:33 -0000

It seems as if we've been talking about precertificate format for
quite some time, without coming to resolution.  Let's try to find
agreement on how to handle it and close issue 26.

The ticket, with description, is here:
http://trac.tools.ietf.org/wg/trans/trac/ticket/26

The fundamental problem is that because precertificates are currently
encoded as X.509 structures we have the potential for two certificates
to exist with the same issuer and same serial number.  Because the
precertificate is not usable as a TLS certificate in practice, this
may not be an issue.  However, it's a clear violation of section 4.1.2.2
in 5280 (and to be honest I'm a little fuzzy on its implications for
CRL processing).

So, are you all comfortable with letting the X.509 representation
stand, or do you have an alternative proposal?

Thanks,

Melinda