Ben,
Thanks, I got it!
On Tuesday, March 29, 2016 at 8:38:11 PM UTC+9, Ben Laurie wrote:
>
>
>
> On 28 March 2016 at 16:24, Yusuke OSUMI <[email protected] <javascript:>>
> wrote:
>
>> Ben,
>>
>> Oh, I misunderstanding little bit...
>> To confirm my understanding, can I summary precertificate in rfc6962-bis
>> below?
>>
>> * Precertificate and issued certificate has the same serial number.
>> => In this context, "serial number of precertificate" means the serial
>> number of tbscertificate in precertificate.
>>
>
> Correct.
>
>
>>
>> * Old problem(RFC6962) is "There are two X.509 certificates with the same
>> serial number".
>> Now on rfc6962-bis, there are still two certificates with the same serial
>> number. But one is encoded using X.509(to use for services), and another is
>> encoded using CMS(precertificate).
>>
>
> Well, that means the second one is not a certificate.
>
>
>>
>> * We don't regard precertificate as 'Certificate', because it is just a
>> Cryptographic Message (based on RFC5652).
>>
>
> Exactly.
>
>
>>
>> Thanks,
>>
>>
>> On Monday, March 28, 2016 at 3:18:50 AM UTC+9, Ben Laurie wrote:
>>
>>>
>>>
>>> On 27 March 2016 at 08:32, Yusuke OSUMI <[email protected]> wrote:
>>>
>>>> Eran,
>>>>
>>>> Thanks, I get the picture!
>>>> I also think "precertificate and issued certificate have the same
>>>> serial number" is weird and strange, so this change is welcome.
>>>>
>>>
>>> Note that the precertificate still has the same serial number as the
>>> certificate. Its just that it is not a certificate anymore.
>>>
>>>
>>>>
>>>>
>>>> 2016年3月27日日曜日 6時58分01秒 UTC+9 Eran Messeri:
>>>>>
>>>>> [+trans mailing list]
>>>>> The poison extension was removed because it is no longer necessary -
>>>>> the purpose was to allow creating a pre-certificate in the form of an
>>>>> unusable X.509 certificate (the poison extension is a critical extension
>>>>> that made an otherwise valid X.509 certificate unusable).
>>>>>
>>>>> In 6962-bis the pre-certificate is encoded using Cryptographic Message
>>>>> Syntax (CMS), not X.509 certificates, so the poison extension is no
>>>>> longer
>>>>> needed.
>>>>>
>>>>> One reason for the precertificate format transition I recall is
>>>>> concerns that issuing two X.509 certificates with the same serial number
>>>>> (even though one of them is unusable) is against the CA/Browsers forum
>>>>> Baseline Requirements.
>>>>> The related discussions can be found in the trans mailing list:
>>>>> https://www.ietf.org/mailman/listinfo/trans
>>>>>
>>>>> Hope this helps,
>>>>> Eran
>>>>>
>>>>> On Sat, Mar 26, 2016 at 5:49 AM, Yusuke OSUMI <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I read rfc6962-bis, and found that description of "Poison Extension
>>>>>> (OID 1.3.6.1.4.1.11129.2.4.3)" has disappeared.
>>>>>> I want to view a discussion about this issue(and want to know the
>>>>>> reason why it disappeard), so can I get URLs about the discussion?
>>>>>>
>>>>>> Thanks,
>>>>>> Yusuke
>>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "certificate-transparency" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to
>>>>>> [email protected].
>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>
>>>>>
>>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "certificate-transparency" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "certificate-transparency" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected]
>> <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
