What exactly is a 'precertificate'. Either something is a cert or it is not.
If it parses as an X.509v3 certificate then it is an X.509v3 certificate and thats an end to it. If it is not then it is probably a CSR which would seem to be the existing PKIX structure that fits its purpose. On Mon, Feb 24, 2014 at 1:21 PM, Ben Laurie <[email protected]> wrote: > On 24 February 2014 17:52, Melinda Shore <[email protected]> wrote: > > On 2/24/14 7:35 AM, Eran Messeri wrote: > >> I'll be happy to scribe half the session. > > > > Excellent - thank you. > > > >> As for the agenda, I'd like to suggest discussing handling of private > >> subdomains > >> <https://code.google.com/p/certificate-transparency/issues/detail?id=20 > >. > >> IMHO while the suggestion in the issue makes sense , it'd benefit from > >> another review to make sure it would work as intended and covers all > >> cases CAs are concerned about. > > > > That one looks to me like a hairball. Right now it's a MUST > > in 5280 that a serial number be unique for each certificate > > issued by a CA. > > Precertificates already share serial numbers with certificates. The > intent of 5280 is not violated by this practice, but perhaps needs > amending to permit it. > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans > -- Website: http://hallambaker.com/
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
