[cabfpub] [TRANS] CA survey - CT Precertificate format in6962-bis

Jeremy.Rowley jeremy.rowley at digicert.com
Fri Oct 3 10:37:42 MST 2014 

Minor point- CAs will need to implement CT in accordance with the 
requirements adopted by Google in order to maintain the EV indicator in 
Chrome.  The standards track RFC is irrelevant until the date Google 
specifies that their implementation will require RFC-compliant pre-certs 
(which will likely happen after the standard is adopted, not at the same 
time).

On 10/3/2014 9:26 AM, Rob Stradling wrote:
> On 03/10/14 13:44, Stephen Davidson wrote:
>> Hi Rob:
> Hi Stephen.
>
>> Thanks for this.  Here's my personal feedback:
>>
>> 1) Yes, implementing the ability to use the same serial in both the precert and actual cert is onerous for many CAs, but
>> 2) the CAs responsible for the vast majority of SSL issuance will have to make it happen as the Google EV implementation precedes the standards track.
> The "vast majority of SSL issuance" does not reflect the number of
> implementations that will exist of either RFC6962 or of the future
> Standards Track CT RFC.
>
>> I believe that the complexity of dealing with that non-unique serial has been at the heart of most CA resistance to CT, but the authors of CT considered it an essential requirement.
> RFC6962 requires a Precertificate and the associated Certificate to both
> be X.509 certificates and share exactly the same serial number.
> However, 6962-bis is almost certainly going to change this somehow.
>
> So, please imagine for now that a Precertificate doesn't have to have
> the same serial number as the associated Certificate.  Then consider
> Melinda's question.  Thanks.
>
>> While I am grateful to have the difficulties of the non-unique serial acknowledged, it strikes me as fruitless to open discussion at this late stage.
> RFC6962 is an Experimental RFC.  To turn it into a Standards Track RFC,
> we need to smooth its rough edges.
>
>> CAs are already implementing CT:  it goes live in 89 days.
> And when the Standards Track RFC exists, CAs (and log servers and
> browsers) will need to also implement that.
>
>> Best regards, Stephen
>>
>>
>>
>> -----Original Message-----
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rob Stradling
>> Sent: Thursday, October 02, 2014 5:36 PM
>> To: public at cabforum.org
>> Subject: [cabfpub] [TRANS] CA survey - CT Precertificate format in 6962-bis
>>
>> [Only CABForum members can post to this list, hence why I'm forwarding this message from Melinda Shore]
>>
>>
>> Hi, all:
>>
>> I co-chair the IETF "trans" working group, which is in the process
>> of developing a standards-track specification for certificate
>> transparency (logging).  We're trying to get a handle on the
>> potential impact of including serial numbers in precertificates.
>> Are there CAs who would otherwise implement CT but for whom
>> either needing to know the serial number of a certificate prior
>> to it being issued, or having to issue a certificate and precertificate
>> simultaneously would be 1) a complete non-starter, or 2)
>> excessively onerous?
>>
>> Thanks,
>>
>> Melinda
>>
>>

More information about the Public mailing list