Another +1 for RFC4211/4210; my company's certificate issuance platform has supported CMP/CMRF for many years and we have several large customers using it for LTE applications as Tomas described below.
-----Original Message----- From: Trans [mailto:[email protected]] On Behalf Of Tomas Gustavsson Sent: Wednesday, February 26, 2014 10:02 AM To: [email protected] Subject: Re: [Trans] Alternate formats for Precertificates On 02/26/2014 07:30 AM, Ben Laurie wrote: > On 26 February 2014 14:13, Tomas Gustavsson <[email protected]> wrote: >> >> Did anyone consider using RFC4211 CRMF requests as "pre-certificates"? >> CRMF has both issuer and serialNumber, as well as extensions. The >> CertTemplate of RFC4211 is basically a TBSCertificate. > > Hmm. So it is. I had not come across this RFC before. > > Does anything implement it? Absolutely. It is used in CMP (RFC4210). EJBCA has had support for it as a request format for years, so we have code for both producing and parsing of course. BouncyCastle has Java APIs for CMP/CRMF. http://www.bouncycastle.org/ cmpforopenssl supports it I believe, C API and command line. http://sourceforge.net/apps/mediawiki/cmpforopenssl/index.php?title=Main_Page I don't know why I did not think of this earlier, since I use it all the time. CMP with CRMF is used in many systems in production. Card management, LTE base stations (3GPP standardization), some routers etc. Re-using existing RFC always feels good :-) Cheers, Tomas > >> >> Cheers, >> Tomas >> >> PS: time to change subject of the thread? >> >> >> On 02/26/2014 05:46 AM, Rob Stradling wrote: >>> On 26/02/14 13:33, Carl Wallace wrote: >>>>>> >>>>>> While I agree that lack of a CA certificate with the matching >>>>>> naming really doesn¹t matter, breaking name chaining seems like >>>>>> an odd way to maintain ³ritual compliance". Why not bump the version >>>>>> number instead? >>>>>> v4 could be defined as a pre-certificate containing a poison >>>>>> extension and a serial number that matches its v3 counterpart. >>>>> >>>>> Hi Carl. I briefly discussed the idea of changing the version >>>>> number with Ben a few months ago... >>>> >>>> Sorry for the rehash. There are occasions where I miss an email in >>>> this >>>> list:-) >>> >>> No need to apologize. It was an off-list discussion. :-) >>> >> >> _______________________________________________ >> Trans mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/trans > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans > _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
