>> >>While I agree that lack of a CA certificate with the matching naming >> really doesn¹t matter, breaking name chaining seems like an odd way to >> maintain ³ritual compliance". Why not bump the version number instead? >> v4 could be defined as a pre-certificate containing a poison extension >>and >> a serial number that matches its v3 counterpart. > >Hi Carl. I briefly discussed the idea of changing the version number >with Ben a few months ago...
Sorry for the rehash. There are occasions where I miss an email in this list:-) > >Rob: "More wacky idea... >I wonder if we could get away with putting 0x4354 in the certificate's >Version field. That might be enough to place it out-of-scope of >RFC5280, and therefore out-of-scope of the duplicate serial number rule. > Probably more likely to break something though." > >Ben: "I imagine it'd be hard to coerce most s/w to do this." The same probably applies to name chaining. > >Also, I don't suppose IETF has the authority to define new X.509 >versions anyway. It’d certainly be cleaner to bump a version. You could also do something like define the pre-certificate to be an X.509 certificate as defined in the RFC wrapped in a ContentInfo and forget about mucking with names or version numbers. > >-- >Rob Stradling >Senior Research & Development Scientist >COMODO - Creating Trust Online > _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
