On 9 July 2014 03:16, Melinda Shore <[email protected]> wrote: > On 7/4/14 4:13 AM, Ben Laurie wrote: >> Given that there's a certain amount of angst about precertificates and >> PKI rules, it could be that we really want to sign some other >> structure altogether, at least for precertificates. > > Is there a proposal for that that's ready for discussion?
Sorry, I mis-spoke. We pretty clearly need to sign the TBSCertificate (or at least, all the data that is in it). What we might want to do, at least for Precertificates, is to sign it in a way that is not X.509v3, to completely remove all question that it could be used as an X.509v3 certificate, or be subject to their validation rules. As for exactly how it is signed, I don't have strong feelings about that. Is there some appropriate RFC that specifies how to sign some arbitrary binary blob using RSA or EC keys? In any case, I am conflating two issues. Trac issue 4 is about what the _log_ signs. Just signing the TBSCertificate certainly makes some kind of sense, from a consistency POV. Sorry for the confusion. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
