[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation

[Brian Smith]

On Wed, Oct 1, 2014 at 9:48 AM, Ben Laurie <benl at google.com> wrote:
> On 26 September 2014 20:32, Brian Smith <brian at briansmith.org> wrote:
>> On Thu, Sep 25, 2014 at 2:57 AM, Ben Laurie <benl at google.com> wrote:
>> The point of this ballot is that precertificates are supposed to be
>> treated like certificates, except that they can duplicate the serial
>> numbers of other certificates from the same issuer. There are a lot of
>> surprising consequences of that. For example, if a precertificate is
>> "mis-issued" then it needs to be revoked, even though it has the
>> poison extension.
>
> I'm not at all sure I agree with this - the pre-certificate is just a
> vehicle for carrying information about the final certificate. It
> contains the poison extension precisely so it _can't_ be treated like
> a certificate. Therefore, it seems to me, it does not need revocation.

That isn't what the proposed ballot says, though. My understanding of
the proposed ballot is "Treat precertificates like certificates in
every way, except allow them to have duplicate serial numbers and
allow them to duplicate the serial numbers of certificates."

Like was discussed before, if the BRs don't apply to precertificates
then this ballot isn't necessary. If this ballot goes forward then the
only reasonable way to interpret it is that all the requirements on
certificates, except those explicitly exempted, apply to
precertificates. That includes, in particular, the need to revoke
precertificates that are mis-issued.

Cheers,
Brian