[Trans] Certificate and Precertificate extensions ordering

Erwann Abalea <eabalea@gmail.com> Thu, 11 September 2014 10:40 UTC

Return-Path: <eabalea@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF0BD1A8924 for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 03:40:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xlqNpe2u9PQH for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 03:40:10 -0700 (PDT)
Received: from mail-vc0-x22a.google.com (mail-vc0-x22a.google.com [IPv6:2607:f8b0:400c:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 651291A06D3 for <trans@ietf.org>; Thu, 11 Sep 2014 03:40:10 -0700 (PDT)
Received: by mail-vc0-f170.google.com with SMTP id hy4so5328182vcb.1 for <trans@ietf.org>; Thu, 11 Sep 2014 03:40:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=iSdRt89AbaneICt42nuuoIU6wbDckJgRqGCYa6rReG8=; b=JT1Pz6hkYIHoE3RwY556InTPT8mKbySKYCH/RR+kkwJ9bxobjSgZu+xxYsfvtH7ytB MQ21DFO7k3ZTlJtkV/BYKxAPrsTfTFtgCoWz3+07pvx3xz4z7Mop65h5jH8dBpMi6VA2 sXNbGaZ50u0/5J7wkiTJiPxsIXIPaBLa3EypKUMMnXhT3ziJA2az9r9wb1ekDyEEzG49 rMdF/S1+oiDT/zcNQxX1zIRzkVxh41FNntuNNw/NL32NzTqzzXpoDc6zZjO4hmDLmGY6 YsrxwCUjgoGuTlTLuRgiDZmZ8tNJ6PwYrr1VFKb1JptmuBt+1J46CSiJX0485BhI6QEq FmUQ==
MIME-Version: 1.0
X-Received: by 10.220.172.134 with SMTP id l6mr25746vcz.80.1410432009376; Thu, 11 Sep 2014 03:40:09 -0700 (PDT)
Received: by 10.52.241.4 with HTTP; Thu, 11 Sep 2014 03:40:09 -0700 (PDT)
Date: Thu, 11 Sep 2014 12:40:09 +0200
Message-ID: <CA+i=0E5o_JEUquZpxhwiVKU3dvDTOHSf0fbeD7Nj7vrDwAkeSw@mail.gmail.com>
From: Erwann Abalea <eabalea@gmail.com>
To: "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary=001a11c2a2b0e61abf0502c7cab2
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/pA7gn0EmFB69hM67fO8ODD6WuEA
Subject: [Trans] Certificate and Precertificate extensions ordering
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 10:40:12 -0000

Bonjour,

It seems there's no constraint on the order of extensions in the final
certificate regarding to the Precert.
Won't it be problematic if the browser wants to validate the SCT signatures
by constructing the Precert from the final certificate? Where should a CA
add the poisonous extension? And the future "redactedlabels" extension (it
has no name)?

-- 
Erwann.