#80: Re-introduce the issuer key hash into the Precertificate In the current draft (07), when the entry_type in the SignedCertificateTimestamp is precert_entry_V2, the only thing included in the signature is the TBSCertificate. The issuer key identifier is not included - the implication being that an SCT for a precertificate would be valid regardless of who the final issuer will be, so the submitter of the precertificate is may not be bound to it in the SCT. (The Authority Key Identifier, https://tools.ietf.org/html/rfc5280#section-4.2.1.1, should uniquely identify the issuer but AIUI this could be the key or the issuer name and serial number and Rob Stradling pointed out that on some platforms the requirement this matches the issuer may not be enforced, as the stated goal of this extension is to facilitate path building).
I propose re-introducing the issuer key hash and using it for X.509 certificates in case ticket #4 is accepted (signing TBSCertificate for X.509 certificates as well). -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-trans- [email protected] | [email protected] Type: defect | Status: new Priority: major | Milestone: Component: client- | Version: behavior | Keywords: Severity: - | -------------------------+------------------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/80> trans <http://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
