It looks like we've got two closely-related discussions: 1) precertificate format (representation), and 2) precertificate contents
There've been a couple of proposals for alternative representation, including TBS (alternatively, the CertTemplate format from 4211) and CRMF, and there seems to be some agreement congealing around Erwann's summary: >IIUC, what you propose is that the PreCert is a CMS (RFC5652) with a >signedData content-type, for which the data is the TBSCertificate >(name-redacted or not, no necessary poison extension). The SignerInfo >refers to the PreCert issuer (CA or dedicated issuer, same as now). >It can only work if the log signs the content (=TBSCertificate) and not >the whole CMS, thus ignoring the PreCert issuer signature. Leaving that >signature aside isn't more risky than it is now because it's already > the case (the log removes the poison extension before signing the > resulting certificate, right?). with an open question around serial numbers. Related, there's a proposal on the table to walk through cert data and justify SCT contents. Does this sound about right? Melinda _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
