On 02/26/2014 07:30 AM, Ben Laurie wrote:
On 26 February 2014 14:13, Tomas Gustavsson <[email protected]> wrote:
Did anyone consider using RFC4211 CRMF requests as "pre-certificates"?
CRMF has both issuer and serialNumber, as well as extensions. The
CertTemplate of RFC4211 is basically a TBSCertificate.
Hmm. So it is. I had not come across this RFC before.
Does anything implement it?
Absolutely. It is used in CMP (RFC4210). EJBCA has had support for it as
a request format for years, so we have code for both producing and
parsing of course.
BouncyCastle has Java APIs for CMP/CRMF.
http://www.bouncycastle.org/
cmpforopenssl supports it I believe, C API and command line.
http://sourceforge.net/apps/mediawiki/cmpforopenssl/index.php?title=Main_Page
I don't know why I did not think of this earlier, since I use it all the
time. CMP with CRMF is used in many systems in production. Card
management, LTE base stations (3GPP standardization), some routers etc.
Re-using existing RFC always feels good :-)
Cheers,
Tomas
Cheers,
Tomas
PS: time to change subject of the thread?
On 02/26/2014 05:46 AM, Rob Stradling wrote:
On 26/02/14 13:33, Carl Wallace wrote:
While I agree that lack of a CA certificate with the matching naming
really doesn¹t matter, breaking name chaining seems like an odd way to
maintain ³ritual compliance". Why not bump the version number instead?
v4 could be defined as a pre-certificate containing a poison extension
and
a serial number that matches its v3 counterpart.
Hi Carl. I briefly discussed the idea of changing the version number
with Ben a few months ago...
Sorry for the rehash. There are occasions where I miss an email in this
list:-)
No need to apologize. It was an off-list discussion. :-)
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
