#4: Should we sign TBS for Certificates?
Comment (by [email protected]): There seems to be a consensus among the authors that this is a good idea. As Emilia Kasper put it: "I can see only strong benefits in this: 1) unifying the handling of precertificates and certificates and 2) avoiding all sorts of library slack and brokenness in handling the unsigned component of the certificates." That implies that the signature in the SCT will not cover the signature in the X.509 certificate itself, so it would validate for different certificates that are the same TBSCertificate, signed with the same key multiple times (potentially yielding different signatures). To allow auditing of the original submission, I propose adding a field to the PrecertChainEntryV2/X509ChainEntry struct (which will be unified) to include the original submission. -- ------------------------------+------------------------------ Reporter: [email protected] | Owner: [email protected] Type: defect | Status: new Priority: major | Milestone: Component: rfc6962-bis | Version: Severity: - | Resolution: Keywords: | ------------------------------+------------------------------ Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/4#comment:3> trans <http://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
