Opened 8 years ago

Closed 7 years ago

#26 closed defect (fixed)

Precertificates: Find alternative format to X.509

Reported by: eranm@… Owned by: rob.stradling@…
Priority: major Milestone:
Component: rfc6962-bis Version:
Severity: - Keywords:
Cc:

Description

A fundamental problem with the existing Precertificates mechanism seems to be the issue of signing two different certificates (one with the poison extension, one without) with the same serial number.

Find another, acceptable way to represent precertificates so that they could still be signed by CAs (as a proof of commitment to issuing the final certificate) and avoid the problem of looking too much like an X.509 certificate.

Change History (2)

comment:1 Changed 7 years ago by rob.stradling@…

  • Owner changed from draft-ietf-trans-rfc6962-bis@… to rob.stradling@…

Decision (finally!): Precertificates will be CMS signed-data objects instead of X.509 certs. This has been discussed on the TRANS mailing list and at the Hawaii TRANS meeting, and AFAIK nobody has objected to this approach.

Proposed text:
https://github.com/google/certificate-transparency-rfcs/pull/9

comment:2 Changed 7 years ago by rob.stradling@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.