On 20/12/12 11:39, Ben Laurie wrote:
On 20 December 2012 11:38, Ben Laurie <[email protected]> wrote:
On 20 December 2012 11:28, Rob Stradling <[email protected]> wrote:
On 20/12/12 11:20, Ben Laurie wrote:
On 20 December 2012 09:50, Stephen Farrell <[email protected]>
wrote:
- Having a thing with basicConstraints.cA==false issue precerts
seems wrong, but that may be better discussed during IETF LC so
I'm not requesting a change now.
This was deliberate to avoid the precertificate being a valid
certificate, as requested by CAs.
Ben, doesn't the new poison critical extension requirement mean that this
Basic Constraints hack is no longer needed?
The poison critical extension means that a precert cannot be used as a cert.
Is that not invalid enough?!?
Probably.
I've removed it.
Ben, I see that "(note that the log may relax standard validation rules
to allow this, so long as the final signed certificate will be valid)"
is still present in -05. I think I see why...
Am I correct that the Issuer and Authority Key Identifier fields in a
precertificate MUST match the Subject and Subject Key Identifier fields
in "the CA certificate that will sign the final certificate", even if
the precertificate is actually signed by the private key that
corresponds to a Precertificate Signing Certificate?
If yes, then I think it might be worth emphasizing this point.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
