Brad,
All that is really needed is a well-defined and easily reversible
transformation of the serial number that can be applied to verify the proof.
As issuing non-randomized serial numbers is no longer an acceptable practice
for CAs, it could be as simple as:
certSerialNum = preCertSerialNum++;
I don't think I understand your suggested solution.
I believe the fundamental problem is that CA software/hardware may
1 not allow a CA to assign or even predict the serial number that
appears in a cert
2 prevent assignment of duplicate serial numbers by the same CA
3 provide no way to coordinate serial numbers between two distinct CA
instances
This suggests that the serial number assigned to a precert may not be
algorithmically related to the
serial number that is assigned to the real cert that will contain the
SCT based on the precert.
If #1 is true, then I don't think the alg you indicated in your equation
can be employed.
If #2 is true, the precert and cert serial numbers can't be the same
unless different
CAs are emplpoyed for the precet and cert issuance. If different CAs are
employed because of #2,
then #1 or #3 would preclude the alg you suggested.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
