Ben,
On 9 September 2014 19:23, Stephen Kent<[email protected]> wrote:
I agree that using a redefined (to include the serial number) cert template
from CRMF would avoid the 5280 issue, but it still requires the CA to assign
the serial number before
the cert is issued. That is my biggest concern, i.e., it imposes a new
requirement on
CAs, one that may have adverse security implication for some. Nonetheless, I
like your suggestion (minus the serial number) as a starting point. See my
next message.
I have a suggestion: let the RFC say that any certificate which the
log knows can be revoked without knowing its serial number can omit
the serial number.
because, as you noted, we have no IETF-standard way to revoke a single
cert w/o knowing its serial number, I don't think this is a good fix.
Nonetheless, I do appreciate your willingness to explore alternative
approaches
to address the concern I raised.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
