Re: [Trans] Alternate formats for Precertificates

Carl Wallace <carl@redhoundsoftware.com> Wed, 26 February 2014 17:05 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D8071A06D6 for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 09:05:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id smDWO4VOn_XP for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 09:05:50 -0800 (PST)
Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by ietfa.amsl.com (Postfix) with ESMTP id 18E071A06B3 for <trans@ietf.org>; Wed, 26 Feb 2014 09:05:50 -0800 (PST)
Received: by mail-qc0-f182.google.com with SMTP id w7so1779337qcr.27 for <trans@ietf.org>; Wed, 26 Feb 2014 09:05:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=WJhQdgCcRCbsujJYZc05pfArui4T6jsl/H4CiPafEk0=; b=ZVm8eplC8UY9/GRq0vz59AloQk5F9jeLVe2h391tMbWuw4DVZTdLDJWkI1vxhVKcDd gNyI7qM9WSLe3ufT6dIqdGbHTu8xAOZygVE5OjqQBsaPmkYKviC8fsRkUe6bAh0GM+Er NvYtqwu0sL3hI99c2x7ZWug2su6/MQIwEUhtSDcaCIm4HNuZKTTImkYpMBnEdSoGaHqm WDhIo07iD0ffCERogx7O1v0tYRF6Q6JN/AGkE8TiG8H8pfIlUDcLjzBV3gWJapU0YZbP 2mbw59bA0sMcBCi3UtAmygH/1mAnZuLVf1AcY6gS6TQlO9REdtQ0of/4e7jlgRrJVOYm GdBg==
X-Gm-Message-State: ALoCoQk52i2S1KvueGovFavPgWTEmi7mzCNwNfAzl1yKcYNvBpOvo0QZP9xTgvUL6B51y0mSGjwh
X-Received: by 10.224.223.134 with SMTP id ik6mr9630956qab.90.1393434348718; Wed, 26 Feb 2014 09:05:48 -0800 (PST)
Received: from [192.168.2.4] (pool-173-79-106-67.washdc.fios.verizon.net. [173.79.106.67]) by mx.google.com with ESMTPSA id h12sm686737qge.0.2014.02.26.09.05.46 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 26 Feb 2014 09:05:48 -0800 (PST)
User-Agent: Microsoft-MacOutlook/14.3.9.131030
Date: Wed, 26 Feb 2014 12:05:42 -0500
From: Carl Wallace <carl@redhoundsoftware.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, Ben Laurie <benl@google.com>
Message-ID: <CF3388E0.11D87%carl@redhoundsoftware.com>
Thread-Topic: [Trans] Alternate formats for Precertificates
References: <CABrd9SSOmEgbTvLNw5bPN2SnKbob800qEecn+tHvZUkrghFcQg@mail.gmail.com> <530E100A.7040503@primekey.se> <530E142A.90007@comodo.com> <530E16CD.6030908@primekey.se> <CABrd9SR1S7Fg5Xs_dkgou3HfF4O_hyzFxW4qS=-2eti7DmGZew@mail.gmail.com> <67380B58-5D8B-4B38-B20B-2FF6769FE94B@vpnc.org>
In-Reply-To: <67380B58-5D8B-4B38-B20B-2FF6769FE94B@vpnc.org>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/oHEZD-dxZCpG-gESr8kRY7TeEek
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Alternate formats for Precertificates
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 17:05:54 -0000

On 2/26/14, 11:58 AM, "Paul Hoffman" <paul.hoffman@vpnc.org> wrote:

>RFC 4211 is also somewhat ambiguous. It says:
>
>   CertTemplate ::= SEQUENCE {
>      version      [0] Version               OPTIONAL,
>      serialNumber [1] INTEGER               OPTIONAL,
>      signingAlg   [2] AlgorithmIdentifier   OPTIONAL,
>      issuer       [3] Name                  OPTIONAL,
>      validity     [4] OptionalValidity      OPTIONAL,
>      subject      [5] Name                  OPTIONAL,
>      publicKey    [6] SubjectPublicKeyInfo  OPTIONAL,
>      issuerUID    [7] UniqueIdentifier      OPTIONAL,
>      subjectUID   [8] UniqueIdentifier      OPTIONAL,
>      extensions   [9] Extensions            OPTIONAL }
>
>And:
>
>      serialNumber MUST be omitted.  This field is assigned by the CA
>      during certificate creation.
>
>      signingAlg MUST be omitted.  This field is assigned by the CA
>      during certificate creation.
>
>If it "MUST be omitted", it is not optional. So, a document updating RFC
>4211 to fix this error, at least for the limited use of CT, seems fine.

If this is all that is sought, why not just use TBSCertificate as Rob
suggested and be done?  How would that run afoul of ritual compliance?