Jeremy,
Why not use a TBSCertificate from RFC 5280 with no modifications from the final
certificate (no poison extension) and sign it with a PKCS7 signature instead of
a RFC 5280 signature? By doing this you are not creating a valid certificate
so you are not technically breaking RFC 5280 (re-using serial numbers) and it
couldn't be used as a certificate even if some software incorrectly ignored the
poison extension.
Using either a TBS cert with a different signature format or CRMF would
avoid the
53280 conflict. It would not, however, address the "know the serial
number before you issue the
cert" concern that I raised. So, we have a couple of proposals that
address at least half of
the problem, which is a start.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
