On Wed, Sep 17, 2014 at 2:45 PM, Melinda Shore <[email protected]> wrote: > There've been a couple of proposals for alternative representation, > including TBS (alternatively, the CertTemplate format from 4211) and > CRMF, and there seems to be some agreement congealing around Erwann's > summary: > >>IIUC, what you propose is that the PreCert is a CMS (RFC5652) with a >>signedData content-type, for which the data is the TBSCertificate >>(name-redacted or not, no necessary poison extension). The SignerInfo >>refers to the PreCert issuer (CA or dedicated issuer, same as now).
CMS is not a good format for the PreCert, because CMS is highly complicated and unnecessarily complex for this purpose. And, in particular, CMS is specified as a BER-encoded format, not a DER-encoded format, and it isn't reasonable to require implementations to support a BER-encoded format for CT when all other things they process are DER-encoded. In particular, some implementations may have specialized DER decoders that cannot be practically adapted to deal with BER. I previously suggested an alternative syntax that would be much easier to implement: http://www.ietf.org/mail-archive/web/trans/current/msg00500.html > Related, there's a proposal on the table to walk through cert data and > justify SCT contents. There is a proposal for that, but I don't think it has much support. I myself do not think that would be a useful thing to do. Cheers, Brian _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
