Opened 7 years ago

Closed 7 years ago

#44 closed defect (invalid)

Precertificates SHOULD NOT be submitted to add-chain

Reported by: rob.stradling@… Owned by: draft-ietf-trans-rfc6962-bis@…
Priority: minor Milestone:
Component: rfc6962-bis Version:
Severity: - Keywords:


Not all X.509 certificates are valid RFC6962 Precertificates, but all RFC6962 Precertificates are valid X.509 certificates. Therefore, the current text allows a Precertificate to be submitted to add-chain, and the Log would be expected to return an SCT where the "signed_entry" is of type "x509_entry". Such an SCT would be useless, because an RFC6962 Precertificate cannot be used as "regular" certificate due to the critical poison extension.

If we change Precertificates to not use the X.509 certificate format (ticket #26), that would resolve this issue.

But if we continue to use the X.509 format for Precertificates, we should resolve this issue by either...

  • adding text to say "Submitters SHOULD NOT send Precertificates to add-chain" and "Logs SHOULD NOT generate x509_entry SCTs for Precertificates".


  • unifying add-chain and add-pre-chain. The Log server would then be required to determine whether to generate an x509_entry SCT or a precert_entry SCT, by checking if the supplied cert includes the poison extension.

Change History (1)

comment:1 Changed 7 years ago by rob.stradling@…

  • Resolution set to invalid
  • Status changed from new to closed

The issue raised by this ticket is no longer a concern, because we're changing the Precertificate format to a CMS signed-data object (see ticket #26).

Note: See TracTickets for help on using tickets.