On 26/02/14 12:27, Ben Laurie wrote:
On 26 February 2014 11:57, Rob Stradling <[email protected]> wrote:
<snip>
But if we must have ritual compliance with 5280, then my preferred solution
is to "poison" the Issuer Name in the Precertificate.
For example...
Certificate Issuer Name: C=GB, O=My CA Ltd., CN=My CA
Precertificate Issuer Name: 1.2.3.4=CT, C=GB, O=My CA Ltd., CN=My CA
Sign both the Precertificate and the Certificate with the same CA private
key. Use the same serial number for both.
It wouldn't matter whether or not there exists a CA Certificate with the
Subject Name "1.2.3.4=CT, C=GB, O=My CA Ltd., CN=My CA".
Ah. I like that idea. Rather less than I like the idea of fixing the
need for ritual compliance, though.
+1
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
