On 10/09/14 02:25, Watson Ladd wrote:
On Tue, Sep 9, 2014 at 4:40 PM, Kyle Hamilton <[email protected]> wrote:
I think the best way to change a Certificate into a Precertificate would be
to alter the first field of the tbsCertificate to be non-optional and
explicitly tagged as something other than tag [0]. Then, reconstruct the
actual tbsCertificate by changing the first field to tag [0], perform any
other necessary edits (like, for name redaction), re-encode the
validly-tagged tbsCertificate to DER, and digest the encoded data.
Let's back up a bit: we want to ensure that the certificate chains
browsers use are a matter of public record. To do this we need to
record the chain in a log, and give the server back a way to prove
"yes, we've seen this chain" from the log. What I don't understand
here is the role of the CA and the Precertificate in this process.
Hi Watson.
Without Precertificates, we would have to wait for all of the world's
TLS Servers to be updated to support the RFC6962 TLS extension and/or
OCSP Stapling before TLS Clients would then be able/willing to abort TLS
handshakes when an SCT is not provided. We don't want to have to wait
that long!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
