On 25/01/16 12:00, Ben Laurie wrote: <snip>
/*Sections 3.1 and 3.2*/*_From:_* 3.1. Certificates Anyone can submit a certificate (Section 6.1) to a log. Since certificates may not be accepted by TLS clients unless logged, it is expected that certificate owners or their CAs will usually submit them. 3.2. Precertificates Alternatively, (root as well as intermediate) CAs may pre-announce a certificate prior to issuance by submitting a pre-certificate (Section 6.2) that the log can use to create an entry that will be valid against the issued certificate. The CA MAY incorporate the returned SCT in the issued certificate. *_To: _* 3.1 Certificates and Pre-certificates Anyone can submit a certificate to a log (see Section 6.1). It is expected that certificate owners (Subjects) or their CAs will usually submit certificates. Alternatively, (root as well as intermediate) CAs may log a certificate prior to issuance by submitting a pre-certificate. The log will use this to create an entry and return an SCT that can be used to verify that the issued certificate was logged (see Section 6.2). The CA may incorporate the returned SCT in the issued certificate. ____/[The rest of 3.2 defines both what the log should accept for a pre-certificate and what the CA must do. So it should remain here but also be duplicated in a requirements document for CAs. ]/** This change seems fine.
I don't see any advantages to conflating sections 3.1 and 3.2. Are there any?
In -10, I deliberately moved the certificate requirements and precertificate requirements into two separate sections. It's likely that some implementers will have no interest in implementing precertificates. I think that conflating sections 3.1 and 3.2 would make it harder for those implementers to figure out which paragraphs they don't need to read.
-- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
