Discussion around the format happened in mid/late september, the idea of a CMS/PKCS#7 structure to hold the signature seems fine. Additional questions come in: is the new format intended to *replace* or *complement* the current one? If it's a replacement, what timeframe? CAs are already doing software modifications and deployment, please be nice :)
The same question remains on the knowledge of the serial number before generating the final certificate, with no objection so far, even with arguments raised by Stephen Kent (valid ones, I used such HSMs in the past for SET certs, the BBN SafeKeyper Signer). It seems that no public CA concerned by CT is using such HSM, I guess they all use a HSM for its key handling job and do certificate generation at a software level. 2014-10-16 17:09 GMT+02:00 Ben Laurie <[email protected]>: > We (the 6962-bis editors) would like to propose that we replace the > existing precertificate formats with a TBSCertificate wrapped in PKCS#7. > This lays to rest, we think, any possible confusion with X509v3 certs, > whilst allowing a simple mapping between the final cert and the pre-cert. > > Obviously there are details to be nailed down, but before we do so, we'd > like to hear any discussion on the general idea. > -- Erwann.
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
