Eran,
Thanks, I get the picture!
I also think "precertificate and issued certificate have the same serial
number" is weird and strange, so this change is welcome.
2016年3月27日日曜日 6時58分01秒 UTC+9 Eran Messeri:
>
> [+trans mailing list]
> The poison extension was removed because it is no longer necessary - the
> purpose was to allow creating a pre-certificate in the form of an unusable
> X.509 certificate (the poison extension is a critical extension that made
> an otherwise valid X.509 certificate unusable).
>
> In 6962-bis the pre-certificate is encoded using Cryptographic Message
> Syntax (CMS), not X.509 certificates, so the poison extension is no longer
> needed.
>
> One reason for the precertificate format transition I recall is concerns
> that issuing two X.509 certificates with the same serial number (even
> though one of them is unusable) is against the CA/Browsers forum Baseline
> Requirements.
> The related discussions can be found in the trans mailing list:
> https://www.ietf.org/mailman/listinfo/trans
>
> Hope this helps,
> Eran
>
> On Sat, Mar 26, 2016 at 5:49 AM, Yusuke OSUMI <[email protected]
> <javascript:>> wrote:
>
>> Hi,
>>
>> I read rfc6962-bis, and found that description of "Poison Extension (OID
>> 1.3.6.1.4.1.11129.2.4.3)" has disappeared.
>> I want to view a discussion about this issue(and want to know the reason
>> why it disappeard), so can I get URLs about the discussion?
>>
>> Thanks,
>> Yusuke
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "certificate-transparency" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected]
>> <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
