[cabfpub] CT Precertificates and the BRs

Rob Stradling rob.stradling at comodo.com
Fri Jan 10 13:57:51 UTC 2014


On 07/01/14 15:47, Erwann Abalea wrote:
> Le 07/01/2014 13:14, Rob Stradling a écrit :
>> I've changed my mind.  I no longer think that a CT Precertificate (with
>> the same Issuer Name/Key and Serial Number as the corresponding SSL
>> Certificate) is currently illegal under the BRs.
>>
>> The current scope of the BRs is "Certificates intended to be used for
>> authenticating servers accessible through the Internet".  A CT
>> Precertificate is only intended to be used to verify that the CA and the
>> CT Log(s) are doing CT stuff correctly.  It's the corresponding SSL
>> Certificate that is intended to be used for authenticating server(s).
>
> I think it's a dangerous reading. It could be stretched to authorize
> several colliding {issuerDN,serialNumber} certificates as long as only
> one of those certificates is "intended to be used for authenticating
> servers accessible through the Internet" (since it's the rationale
> you're using).
> For example, {issuerDN="C=US,O=BadCA", serialNumber=1} could be
> associated to such a TLS certificate and a TSP certificate and an Adobe
> signing certificate and even an OCSP responder.

I agree that there are some loopholes in the BRs that need to be fixed. 
  So let's fix them.

Meanwhile, I will continue to interpret the BRs based on what is 
actually written in the BRs.

The BRs need to say what they mean, and mean what they say.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online




More information about the Public mailing list