On 25/02/14 07:23, Ben Laurie wrote:
On 24 February 2014 19:17, Phillip Hallam-Baker <[email protected]> wrote:
What exactly is a 'precertificate'. Either something is a cert or it is not.
If it parses as an X.509v3 certificate then it is an X.509v3 certificate and
thats an end to it.
Indeed, and a precertificate is a certificate. RFC 6962 defines what
exactly it is.
Not sure where you're going with this.
If it is not then it is probably a CSR which would seem to be the existing
PKIX structure that fits its purpose.
Not really - a precertificate needs to be signed.
CSRs are signed. Self-signed, usually.
I think Phill is suggesting that a Precertificate could be a CSR,
generated and signed by the CA (rather than self-signed by the
certificate applicant). The problem I see with this is that the CSR
format doesn't contain some of the essential fields that MUST be present
in a Precertificate: Serial Number, Issuer Name, etc.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
