On 11/09/14 12:17, Ben Laurie wrote:
On 11 September 2014 11:56, Eran Messeri <[email protected]> wrote:
The poison extension is removed from the Precertificate prior to the log
producing an SCT over it, so a client never has to know about it. What the
TLS client has to do is to remove the "embedded SCTs" extension from the
certificate prior to validating the signature.
This does imply that the remaining extensions have to be in the same
order in both precert and cert, I think?
Yes.
I think this bit...
"The Precertificate is constructed from the certificate to be issued
by adding a special critical poison extension..."
...implies that the other extensions shouldn't be shuffled, but should
we make it more explicit?
On Thu, Sep 11, 2014 at 11:40 AM, Erwann Abalea <[email protected]> wrote:
Bonjour,
It seems there's no constraint on the order of extensions in the final
certificate regarding to the Precert.
Won't it be problematic if the browser wants to validate the SCT
signatures by constructing the Precert from the final certificate? Where
should a CA add the poisonous extension? And the future "redactedlabels"
extension (it has no name)?
--
Erwann.
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
