Re: [Trans] Where do things stand with the precertificate format discussion?

Brian Smith <> Wed, 17 September 2014 22:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2567E1A0AF6 for <>; Wed, 17 Sep 2014 15:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ec61JrnbAl2S for <>; Wed, 17 Sep 2014 15:35:08 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7C6AC1A0B0B for <>; Wed, 17 Sep 2014 15:35:08 -0700 (PDT)
Received: by with SMTP id i13so30981qae.38 for <>; Wed, 17 Sep 2014 15:35:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=JuvwQGn3siG69dZBEUZ4OjQhJ3MSt1d4TpOm5xSuJHg=; b=hA9J4qq1neiZg0gIvLjkxAOBjSPgaH/mbPAW8EySCLo8TFDdnLHSL03WWcTvAePA1M AnLVQTlss0T80SScSHIlHmXII47OSQwvzeJ54LDnzYI/YH0jbYAv6+OxbLaG58V+g45Z fO7YNK/n2x8E+S81q7fkfQmrdnhqRF/Huz3SfLGClw5UNJpIzvWEmKhzITbpQi2D24ML p4kDhjvRpCZnqgg/aNAkRZt9D1UDbxS8WglbBA6W0VOMKkWLepa6KbxFu8PFiSEcShBn bFAwV3FfsTO6euuky7aCP/wAei/BP3nZ6QdAXMSKSscMhVmSXtWlL6fd/q9O1VOT/V9t 1AYw==
X-Gm-Message-State: ALoCoQkgT7Vf1c4kOwxrT/p7jlZZndSaQKzTy8mLyTJQ2Kx+MGd5LzeoiGYU3WjVgLV8Pl36QLbx
MIME-Version: 1.0
X-Received: by with SMTP id t10mr1025006qas.2.1410993307281; Wed, 17 Sep 2014 15:35:07 -0700 (PDT)
Received: by with HTTP; Wed, 17 Sep 2014 15:35:07 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Wed, 17 Sep 2014 15:35:07 -0700
Message-ID: <>
From: Brian Smith <>
To: Melinda Shore <>
Content-Type: text/plain; charset=UTF-8
Cc: "" <>
Subject: Re: [Trans] Where do things stand with the precertificate format discussion?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 17 Sep 2014 22:35:10 -0000

On Wed, Sep 17, 2014 at 2:45 PM, Melinda Shore <> wrote:
> There've been a couple of proposals for alternative representation,
> including TBS (alternatively, the CertTemplate format from 4211) and
> CRMF, and there seems to be some agreement congealing around Erwann's
> summary:
>>IIUC, what you propose is that the PreCert is a CMS (RFC5652) with a
>>signedData content-type, for which the data is the TBSCertificate
>>(name-redacted or not, no necessary poison extension). The SignerInfo
>>refers to the PreCert issuer (CA or dedicated issuer, same as now).

CMS is not a good format for the PreCert, because CMS is highly
complicated and unnecessarily complex for this purpose. And, in
particular, CMS is specified as a BER-encoded format, not a
DER-encoded format, and it isn't reasonable to require implementations
to support a BER-encoded format for CT when all other things they
process are DER-encoded. In particular, some implementations may have
specialized DER decoders that cannot be practically adapted to deal
with BER.

I previously suggested an alternative syntax that would be much easier
to implement:

> Related, there's a proposal on the table to walk through cert data and
> justify SCT contents.

There is a proposal for that, but I don't think it has much support. I
myself do not think that would be a useful thing to do.