On 11 September 2014 16:21, Stephen Kent <[email protected]> wrote: > Ben, >> >> Until there is such a mechanism, omitting serial numbers makes it hard >> (or impossible?) for anyone to take effective action on violations >> discovered via CT. So, CT has to require serial numbers until then. >> This language allows that to happen. > > I think we're in agreement, which I why I proposed an alternative > mechanism to log serial numbers, without requiring a CA to have > to assign them prior to final cert issuance.
I managed to miss that proposal. I've found it now. There seems to be a flaw: if I'm an evil CA wishing to issue an evil certificate, I simply log a precert, minus serial, get an SCT*, log a certificate containing that SCT*, which I then revoke when requested to do so, In order to attack a user with the evil certificate, I simply issue a second copy with a different serial, containing the original SCT*, and the certificate works. Yes, the discrepancy should be discovered in audit, but that is a significantly weaker protection than we get if the serial is included in the pre-certificate. Also this adds quite a lot of complexity in order to allow what appears to be, so far, an entirely theoretical use case. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
