On 9/9/14, 8:07 AM, "Ben Laurie" <[email protected]> wrote: >On 9 September 2014 00:24, Rick Andrews <[email protected]> wrote: >>> The CA may use a Precertificate Signing Certificate to sign the >>>Precertificate, and then sign the final certificate with the production >>>CA certificate. Then, there would be no duplicate serial number issues. >> >> Brian, even if the CA uses a Precert signing cert, the precert's issuer >>name has to be that of the ultimate issuer, and the serial number has to >>be that of the ultimate certificate, so I don't think that solves the >>problem. > >Surely it does, since it is actually signed by the precert signing >cert.
I think the point above is that the issuerName/serialNumber is what is required to be unique, not issuer’s public key/serial number. >Changing the issuer name just means its even less of a conflict, >since it then shouldn't even validate according to normal rules. It may be worth requiring the pre-certificate signing certificate to omit the basicConstraints extension to further reduce conflict. Different question, why must the SKID in the pre signing certificate match the AKID in the TBSCertificate (as noted in 3.3)? Seems like a bad idea to have the same SKID in both the pre-certificate signing certificate and in the real CA certificate. Allowing the SKID be calculated as per normal and placing the SKID of the final issuer in a SAN may be a better approach. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
