Re: [Trans] Precertificate format

Rick Andrews <Rick_Andrews@symantec.com> Mon, 08 September 2014 23:24 UTC

Return-Path: <Rick_Andrews@symantec.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A73AB1A046D for <trans@ietfa.amsl.com>; Mon, 8 Sep 2014 16:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.553
X-Spam-Level:
X-Spam-Status: No, score=-8.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cE2GR7ZG45ti for <trans@ietfa.amsl.com>; Mon, 8 Sep 2014 16:24:29 -0700 (PDT)
Received: from tus1smtoutpex01.symantec.com (tus1smtoutpex01.symantec.com [216.10.195.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B32D1A0278 for <trans@ietf.org>; Mon, 8 Sep 2014 16:24:29 -0700 (PDT)
X-AuditID: d80ac3f1-f79926d0000040bc-c8-540e3aaca3e9
Received: from tus1smtintpin01.ges.symantec.com (tus1smtintpin01.ges.symantec.com [192.168.215.101]) by tus1smtoutpex01.symantec.com (Symantec Brightmail Gateway out) with SMTP id 09.FD.16572.CAA3E045; Tue, 9 Sep 2014 00:24:28 +0100 (BST)
Received: from [155.64.220.139] (helo=TUS1XCHHUBPIN03.SYMC.SYMANTEC.COM) by tus1smtintpin01.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <Rick_Andrews@symantec.com>) id 1XR8IO-0008DD-Ex; Mon, 08 Sep 2014 23:24:28 +0000
Received: from TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM ([155.64.220.147]) by TUS1XCHHUBPIN03.SYMC.SYMANTEC.COM ([155.64.220.139]) with mapi; Mon, 8 Sep 2014 16:24:28 -0700
From: Rick Andrews <Rick_Andrews@symantec.com>
To: Brian Smith <brian@briansmith.org>, Stephen Kent <kent@bbn.com>
Date: Mon, 8 Sep 2014 16:24:26 -0700
Thread-Topic: [Trans] Precertificate format
Thread-Index: Ac/Lup8YnqArFS3WTHO9Wy8MduAM/wAAStPw
Message-ID: <544B0DD62A64C1448B2DA253C011414607D07DC251@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
References: <540DFA75.2040000@gmail.com> <540E0E90.1070208@bbn.com> <CAFewVt5kZqw0-W7PqtFHe7yJUsR9PqVJ6C74ZShgo0qs19wLjA@mail.gmail.com>
In-Reply-To: <CAFewVt5kZqw0-W7PqtFHe7yJUsR9PqVJ6C74ZShgo0qs19wLjA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGIsWRmVeSWpSXmKPExsVyYMX1VN01VnwhBvffKlpcmXqI2WLjbEaL tY8vsjgwe0w9H+qxr+Ewq8eSJT+ZApijuGxSUnMyy1KL9O0SuDLW3PnEVHCauWLOh/XMDYwf mLoYOTkkBEwktr5/ywxhi0lcuLeerYuRi0NI4COjxL9HexkhnFeMEt/PrWOHcFYySpxpvskC 0sImoCex5fEVdhBbRMBZ4tmXe6wgNrOAqsS2o0/B4iwCKhKtL7vA4sICWhL3rx1ihqjXltjw dS0bhG0ksenIAkYQm1cgSuL8rqOsEMu6GCU2f98BluAUCJRo3NwDZjMC3fr91BomiGXiEree zIf6R0BiyZ7zUP+ISrx8/I8Vol5U4k77ekaIeh2JBbs/sUHY2hLLFr5mhlgsKHFy5hOWCYzi s5CMnYWkZRaSlllIWhYwsqxilCkpLTYszi3JLy0pSK0wMNQrrsxNBMZdsl5yfu4mRmDs3eA6 /HEH49G9jocYBTgYlXh4tXX4QoRYE8uAKg8xSnAwK4nwPr3MGyLEm5JYWZValB9fVJqTWnyI UZqDRUmc91MIR4iQQHpiSWp2ampBahFMlomDU6qB0ZfT9vLZX/ulD4paPBbbuU2Ce5X7oZ7Y P2EqW4ul+/savh5WrP7GEbbi3Joli6YItru1sW22f9oZ+fdcgf3H6CkR7E28191cDpfypzSw WN26mJYWX1pgsKTv9IJgtqPtGXMfVt9kWu03Jbf46sf3OwtWqhint96yjiws9l75MN7vZWH+ is/flFiKMxINtZiLihMBLg+JRLkCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/mUuJDS_DHVihVbWKmRGE-LsZ5Bo
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Precertificate format
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 23:24:30 -0000

> The CA may use a Precertificate Signing Certificate to sign the Precertificate, and then sign the final certificate with the production CA certificate. Then, there would be no duplicate serial number issues.

Brian, even if the CA uses a Precert signing cert, the precert's issuer name has to be that of the ultimate issuer, and the serial number has to be that of the ultimate certificate, so I don't think that solves the problem.

-Rick