Ben,
Oh, I misunderstanding little bit...
To confirm my understanding, can I summary precertificate in rfc6962-bis
below?
* Precertificate and issued certificate has the same serial number.
=> In this context, "serial number of precertificate" means the serial
number of tbscertificate in precertificate.
* Old problem(RFC6962) is "There are two X.509 certificates with the same
serial number".
Now on rfc6962-bis, there are still two certificates with the same serial
number. But one is encoded using X.509(to use for services), and another is
encoded using CMS(precertificate).
* We don't regard precertificate as 'Certificate', because it is just a
Cryptographic Message (based on RFC5652).
Thanks,
On Monday, March 28, 2016 at 3:18:50 AM UTC+9, Ben Laurie wrote:
>
>
>
> On 27 March 2016 at 08:32, Yusuke OSUMI <[email protected] <javascript:>>
> wrote:
>
>> Eran,
>>
>> Thanks, I get the picture!
>> I also think "precertificate and issued certificate have the same serial
>> number" is weird and strange, so this change is welcome.
>>
>
> Note that the precertificate still has the same serial number as the
> certificate. Its just that it is not a certificate anymore.
>
>
>>
>>
>> 2016年3月27日日曜日 6時58分01秒 UTC+9 Eran Messeri:
>>>
>>> [+trans mailing list]
>>> The poison extension was removed because it is no longer necessary - the
>>> purpose was to allow creating a pre-certificate in the form of an unusable
>>> X.509 certificate (the poison extension is a critical extension that made
>>> an otherwise valid X.509 certificate unusable).
>>>
>>> In 6962-bis the pre-certificate is encoded using Cryptographic Message
>>> Syntax (CMS), not X.509 certificates, so the poison extension is no longer
>>> needed.
>>>
>>> One reason for the precertificate format transition I recall is concerns
>>> that issuing two X.509 certificates with the same serial number (even
>>> though one of them is unusable) is against the CA/Browsers forum Baseline
>>> Requirements.
>>> The related discussions can be found in the trans mailing list:
>>> https://www.ietf.org/mailman/listinfo/trans
>>>
>>> Hope this helps,
>>> Eran
>>>
>>> On Sat, Mar 26, 2016 at 5:49 AM, Yusuke OSUMI <[email protected]> wrote:
>>>
>>>> Hi,
>>>>
>>>> I read rfc6962-bis, and found that description of "Poison Extension
>>>> (OID 1.3.6.1.4.1.11129.2.4.3)" has disappeared.
>>>> I want to view a discussion about this issue(and want to know the
>>>> reason why it disappeard), so can I get URLs about the discussion?
>>>>
>>>> Thanks,
>>>> Yusuke
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "certificate-transparency" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "certificate-transparency" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected]
>> <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
