Re: [Trans] Precertificate format

Stephen Kent <kent@bbn.com> Tue, 09 September 2014 18:23 UTC

Return-Path: <kent@bbn.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09E081A8896 for <trans@ietfa.amsl.com>; Tue, 9 Sep 2014 11:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.853
X-Spam-Level:
X-Spam-Status: No, score=-5.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BDGI1c6UvzIC for <trans@ietfa.amsl.com>; Tue, 9 Sep 2014 11:23:23 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 969C11A8864 for <trans@ietf.org>; Tue, 9 Sep 2014 11:23:23 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:40454 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1XRQ4m-000CDa-Vv for trans@ietf.org; Tue, 09 Sep 2014 14:23:37 -0400
Message-ID: <540F4598.5010505@bbn.com>
Date: Tue, 09 Sep 2014 14:23:20 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: trans@ietf.org
References: <540DFA75.2040000@gmail.com> <540E0E90.1070208@bbn.com> <540E28FD.7050809@gmail.com> <540ECD3A.4040704@primekey.se>
In-Reply-To: <540ECD3A.4040704@primekey.se>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/xqJ5knwReWgzc47O_nTzowcDVy4
Subject: Re: [Trans] Precertificate format
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 18:23:25 -0000

Tomas,

>
> Hi,
>
> I originally suggested (in the mail thread referenced) the 
> CertTemplate format from RFC4211, it has subject, issuer, serialNumber 
> and extensions (basically a TBSCertificate).
>
> Although the RFC says that serialNumber MUST be omitted, this is for 
> certificate request purposes and can surely be redefined.
>
> Don't remember if there were any other technical issues preventing a 
> CertTemplate to be used?
>
> Cheers,
> Tomas
I agree that using a redefined (to include the serial number) cert 
template from CRMF would avoid the 5280 issue, but it still requires the 
CA to assign the serial number before
the cert is issued. That is my biggest concern, i.e., it imposes a new 
requirement on
CAs, one that may have adverse security implication for some. 
Nonetheless, I like your suggestion (minus the serial number) as a 
starting point. See my next message.

Steve