Re: [Trans] Precertificate format

Ben Laurie <benl@google.com> Tue, 09 September 2014 12:07 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8C2D1A001D for <trans@ietfa.amsl.com>; Tue, 9 Sep 2014 05:07:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.031
X-Spam-Level:
X-Spam-Status: No, score=-3.031 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cXFlY8fOYGrN for <trans@ietfa.amsl.com>; Tue, 9 Sep 2014 05:07:55 -0700 (PDT)
Received: from mail-qa0-x234.google.com (mail-qa0-x234.google.com [IPv6:2607:f8b0:400d:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58D661A0068 for <trans@ietf.org>; Tue, 9 Sep 2014 05:07:53 -0700 (PDT)
Received: by mail-qa0-f52.google.com with SMTP id n8so952817qaq.11 for <trans@ietf.org>; Tue, 09 Sep 2014 05:07:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+rvJfjwWkyehvD2zHAlPs5PlTAcVlMHx6qM8CQjhunY=; b=n4lb1ivbgh4GhmnNt74AmcWfSsYUQVbBBQ2GzMZRWC4R9qUivB5sUWClCq9aUncuQA qew5mTH+PMEUWjpvxm9+I72FebeUaO00FDlhXi0eTkIhOv0Jo1JT+NSrIcR9b1jpqjm7 dhZR8ALN+9URUWAV5wcjztkYisiUoWeRoYUblwR0CMno6O1c2A5V9ZAjcLMjJFzTfNfs cyt7u245gGUX618XBl/gr8m8qeZiWITM6g77ZQdjni+6A3zbvrw7xpjoyhZZG+cLnco9 T14iACh+S4Km7Z75PyjpSolsRD7/4R8cevJxX9+/jGhS1MBIcIex8sZw5cRbx1jJUcfU a8yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=+rvJfjwWkyehvD2zHAlPs5PlTAcVlMHx6qM8CQjhunY=; b=fvJMTAwQdabXjbRSuwTg/jiIJr7PE0wZ6G8s3Jp2zGJCdAJecMPaVzTxjog7x5r6nT HeRRdxs3Hn3MJNTCXKtm6a2VYjJhCj2+RzNWUMJCD6IU93MwopKOgqJzCnVsd7LzYMAg e2n49NObFSGt1uXrnAe2g6k/1XeLoMShwZZETP2juunV+8HQsGuKADKoRebMUJSBLJTS dwLqPbjyP+KTn8jYlfMuocoSgke2QOWhnEBIFGciaeCJnvKqV3wgp1Kr470qSBsPRUyE 99Logl16uI4kSQSjYAj/zkJFBXtyLCasJWb/dH+XwVQt0TRIM5V5k/EchTVLgSNnVDF8 ZeWQ==
X-Gm-Message-State: ALoCoQme37yuv8mT2u4EzG2av2Wr7Z8/hHSlFCiFlW/EH3KnX+4NyHby/j+ZkUe7QEoV7Xot4g5b
MIME-Version: 1.0
X-Received: by 10.224.3.5 with SMTP id 5mr24729046qal.1.1410264471189; Tue, 09 Sep 2014 05:07:51 -0700 (PDT)
Received: by 10.229.40.68 with HTTP; Tue, 9 Sep 2014 05:07:51 -0700 (PDT)
In-Reply-To: <544B0DD62A64C1448B2DA253C011414607D07DC251@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
References: <540DFA75.2040000@gmail.com> <540E0E90.1070208@bbn.com> <CAFewVt5kZqw0-W7PqtFHe7yJUsR9PqVJ6C74ZShgo0qs19wLjA@mail.gmail.com> <544B0DD62A64C1448B2DA253C011414607D07DC251@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
Date: Tue, 09 Sep 2014 13:07:51 +0100
Message-ID: <CABrd9SR_5aLs8fjxvExp_=wZsj6oPCKZeDhe4uJFwuFE4jkDFA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Rick Andrews <Rick_Andrews@symantec.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/l4s5VDrIDdFLXOFWaqJSSeSDysk
Cc: "trans@ietf.org" <trans@ietf.org>, Brian Smith <brian@briansmith.org>, Stephen Kent <kent@bbn.com>
Subject: Re: [Trans] Precertificate format
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 12:07:57 -0000

On 9 September 2014 00:24, Rick Andrews <Rick_Andrews@symantec.com> wrote:
>> The CA may use a Precertificate Signing Certificate to sign the Precertificate, and then sign the final certificate with the production CA certificate. Then, there would be no duplicate serial number issues.
>
> Brian, even if the CA uses a Precert signing cert, the precert's issuer name has to be that of the ultimate issuer, and the serial number has to be that of the ultimate certificate, so I don't think that solves the problem.

Surely it does, since it is actually signed by the precert signing
cert. Changing the issuer name just means its even less of a conflict,
since it then shouldn't even validate according to normal rules.