Eran,
I don't understand the 2nd sentence below. If the first cert is
a pre-cert, then it does not "certify" a pre-cert. Did you mean to say
something like:
"The first certificate in the chain MAY be a Precertificate. If it is a
Precertificate,
then it MUST be used to validate the signature on the submission. If the
first certificate
is not a Precertificate, then that certificate MUST be used to validate
the Precertificate
being submitted."
also, the original text required the last cert to be a root known by the
log,
or a cert that is (transitively) issued under a root known to the log.
The new
text changes this require that the last cert in the chain be a root.
This goes
beyond what the errata reported as an issue. Is that intentional? if so,
then this
is a change to the spec and probably does not qualify as just an errata.
Steve
I'm proposing that the reported errata for RFC6962 (here
<http://www.rfc-editor.org/errata_search.php?rfc=6962>) would be
accepted.
The new text:
"precertificate_chain" is a chain of additional certificates required
to verify the Precertificate submission. The first certificate MAY
be a valid Precertificate Signing Certificate and MUST certify the
*Precertificate*. Each following certificate MUST directly certify
the one preceding it. The final certificate MUST be a root
certificate accepted by the log.
Has 'precertificate' in it rather than 'first certificate' as the
first certificate in the precertificate_chain should certify the
submitted precertificate, not any other certificate.
Any questions, let me know.
Eran
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
