On 27 March 2016 at 08:32, Yusuke OSUMI <[email protected]> wrote: > Eran, > > Thanks, I get the picture! > I also think "precertificate and issued certificate have the same serial > number" is weird and strange, so this change is welcome. >
Note that the precertificate still has the same serial number as the certificate. Its just that it is not a certificate anymore. > > > 2016年3月27日日曜日 6時58分01秒 UTC+9 Eran Messeri: >> >> [+trans mailing list] >> The poison extension was removed because it is no longer necessary - the >> purpose was to allow creating a pre-certificate in the form of an unusable >> X.509 certificate (the poison extension is a critical extension that made >> an otherwise valid X.509 certificate unusable). >> >> In 6962-bis the pre-certificate is encoded using Cryptographic Message >> Syntax (CMS), not X.509 certificates, so the poison extension is no longer >> needed. >> >> One reason for the precertificate format transition I recall is concerns >> that issuing two X.509 certificates with the same serial number (even >> though one of them is unusable) is against the CA/Browsers forum Baseline >> Requirements. >> The related discussions can be found in the trans mailing list: >> https://www.ietf.org/mailman/listinfo/trans >> >> Hope this helps, >> Eran >> >> On Sat, Mar 26, 2016 at 5:49 AM, Yusuke OSUMI <[email protected]> wrote: >> >>> Hi, >>> >>> I read rfc6962-bis, and found that description of "Poison Extension (OID >>> 1.3.6.1.4.1.11129.2.4.3)" has disappeared. >>> I want to view a discussion about this issue(and want to know the reason >>> why it disappeard), so can I get URLs about the discussion? >>> >>> Thanks, >>> Yusuke >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "certificate-transparency" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "certificate-transparency" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. >
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
