On 19 December 2012 13:02, Rob Stradling <rob.stradl...@comodo.com> wrote: > On 19/12/12 12:47, Stephen Farrell wrote: > <snip> > >> The 2nd part of the comment was that if you do need >> to change the precertificate_chain idea (if the >> issuing CA cannot create a precert issuer under itself >> e.g. because of a pathLenConstraint) then the >> PrecertChainEntry syntax might also have to change. >> I dunno if that'd be a real problem now, or only >> later, or is just theoretical but I'd say there >> will be CAs that can issue TLS server certs but >> that cannot issue a sub-ca cert for precertificates. > > > Ben, you said to me privately a couple of months ago that you would be happy > to support the option of having each pre-cert signed directly by the same > root/intermediate CA that will sign the final cert. > > Are you still happy to support this option?
Absolutely. All we care about is a strong link to the issuer - we don't care how that's achieved! The current convoluted method was, I think, in response to some CAs' concern that they didn't want to issue a usable cert as an intermediate step. > > IMHO, having to include a Precertificate Signing Certificate in the precert > chain represents unnecessary hassle. > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
