Melinda,
Hi, all:
Problems around precertificate contents and formats were among
the things we first discussed when the working group was chartered,
and here we are, still at it. There are basically two problems
that fall under the "precertificate" rubric: 1) whether or not
it's possible/reasonable to include a certificate's serial number
(as this implies that the issuer will know in advance what the
serial number will be), and 2) encoding/representation. There's
a general sense that the first *seems* like it ought to be a
problem, but we haven't had CAs stepping forward saying that
this would prevent them from being able to implement and
would be unacceptably onerous for them. Instead, we're hearing
reports of at least one major CA solving the problem by
simultaneously issuing precertificates and certs.
I'm confused by the last sentence above. One can issue a cert at the
same time a pre-cert is issued, but the cert does not contain the
SCT that will be generated by the log, so the parallel issuance seems
redundant,
and I'm not sure how it helps.
Given the lack of new information and lack of new technical
arguments, I think we need to close the serial number aspect of
the discussion and go ahead with continuing to include it in
precertificates. This is the IETF and nearly any decision can
be revisited with the introduction of new information or a new,
compelling argument. But in the meantime we need to move forward,
so let's close this one and move on to trying to close the encoding
discussion.
I'd feel more comfortable on this topic if we had the results
of the CABF member poll I suggested. Is there any progress on
that front?
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
