#4: Should we sign TBS for Certificates?
Comment (by [email protected]): Yes. There are an unlimited number of ways that a spammer could incorrectly re-encode the signature algorithm parameters in the signature part of a single certificate, so I think we definitely need to address this. We could address it by saying that logs MUST check that the signature parameters are encoded identically in a cert's signature part and TBSCertificate part, but I think this ticket's suggestion (to always sign TBS) is the more elegant solution. -- ------------------------------+------------------------------ Reporter: [email protected] | Owner: [email protected] Type: defect | Status: new Priority: major | Milestone: Component: rfc6962-bis | Version: Severity: - | Resolution: Keywords: | ------------------------------+------------------------------ Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/4#comment:2> trans <http://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
