Melinda,
On 10/3/14 11:26 AM, Stephen Kent wrote:
I'm confused by the last sentence above. One can issue a cert at the
same time a pre-cert is issued, but the cert does not contain the
SCT that will be generated by the log, so the parallel issuance seems
redundant,
and I'm not sure how it helps.
This goes to the question of whether or not the serial number
is knowable at the time at the precertificate is constructed.
I don't know much beyond that; this is based on implementation
reports from an American CA.
I still don't understand the answer that was provided to you, as
it does not address the issue of mechanisms that prevent serial number
reuse. Never mind ...
I'd feel more comfortable on this topic if we had the results
of the CABF member poll I suggested. Is there any progress on
that front?
It's underway, and so far nobody is saying that the serial number
issue is a block to implementation.
Are you also getting responses to the "are you tracking the TRNAS WG"
question I suggested?
I'm very concerned that
we have not been able to close this issue for over six months,
and that while several people have raised concerns on
principle nobody who's actually implementing this on the CA side
has said that this is a show-stopper, or even enough of a difficulty
to raise it with us. We're very open to revisiting this if there's
new information.
That's a fair appraisal. If we get an thorough accounting of the poll,
and it covers the vast majority of "root" CAs, then I will rescind by
objection.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
