On 20/12/12 14:49, Ben Laurie wrote:
<snip>
Ben, I see that "(note that the log may relax standard validation rules to
allow this, so long as the final signed certificate will be valid)" is still
present in -05. I think I see why...
Am I correct that the Issuer and Authority Key Identifier fields in a
precertificate MUST match the Subject and Subject Key Identifier fields in
"the CA certificate that will sign the final certificate", even if the
precertificate is actually signed by the private key that corresponds to a
Precertificate Signing Certificate?
If yes, then I think it might be worth emphasizing this point.
Right now the log actually replaces these with the right things,
rather than requiring the pre-cert to contain them. But again, we are
happy to be guided by CAs on the best thing to do here.
The reason for that note was actually for things like path length
constraints that might get violated by inserting an extra
intermediate.
Ah, I see. I'll be using the "CA certificate that will sign the final
certificate" option when I implement this for Comodo, so I don't really
have any opinions on what "the best thing to do here" is.
If any CAs intend to use Precertificate Signing Certificates but are
unable to tweak their CA software to "relax standard validation rules",
then they should speak up now!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
