For us, it's actually more difficult to generate per-certificates
without a serial number or with a different serial number. I'd prefer
to keep it as-is.
Jeremy
On 10/3/2014 1:58 PM, Melinda Shore wrote:
On 10/3/14 11:26 AM, Stephen Kent wrote:
I'm confused by the last sentence above. One can issue a cert at the
same time a pre-cert is issued, but the cert does not contain the
SCT that will be generated by the log, so the parallel issuance seems
redundant,
and I'm not sure how it helps.
This goes to the question of whether or not the serial number
is knowable at the time at the precertificate is constructed.
I don't know much beyond that; this is based on implementation
reports from an American CA.
I'd feel more comfortable on this topic if we had the results
of the CABF member poll I suggested. Is there any progress on
that front?
It's underway, and so far nobody is saying that the serial number
issue is a block to implementation. I'm very concerned that
we have not been able to close this issue for over six months,
and that while several people have raised concerns on
principle nobody who's actually implementing this on the CA side
has said that this is a show-stopper, or even enough of a difficulty
to raise it with us. We're very open to revisiting this if there's
new information.
Melinda
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
.
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
