[cabfpub] Application for SHA-1 Issuance

Rick Andrews Rick_Andrews at symantec.com
Wed Jul 27 22:08:51 UTC 2016


Erwann,

Marc Stevens said "certs" but he meant "TBSCertificates". We didn't sign
certificates; we published TBSCertificates.

-Rick

--------------------------

From: Erwann Abalea <eabalea at gmail.com>
Date: July 27, 2016 at 12:41:27 PM GMT-5
To: Dean Coclin <Dean_Coclin at symantec.com>
Subject: Re: [cabfpub] Application for SHA-1 Issuance
He tested the full certificates of the second set, not their tbs, in fact. 

Le mercredi 27 juillet 2016, Dean Coclin <Dean_Coclin at symantec.com> a
écrit :
I saw an email from Marc Stevens on the Mozilla list a few days ago which
indicated he tested both the original set of TBS certs and the 2nd set and
did not see any issues. 
(See:
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/sku5NYXd
pOM)
 
Are there other questions that folks would like to ask or concerns that can
be addressed?
 
Symantec is awaiting approval from browsers to schedule the signing ceremony
this weekend if possible.
 
Thanks,
Dean
 
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ryan Sleevi
Sent: Monday, July 25, 2016 4:26 PM
To: Rob Stradling <rob.stradling at comodo.com>
Cc: Dean Coclin <Dean_Coclin at symantec.com>; CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Application for SHA-1 Issuance
 
 
 
On Mon, Jul 25, 2016 at 2:20 PM, Rob Stradling <rob.stradling at comodo.com>
wrote:
IINM, both Gerv and Ryan indicated (or at least strongly implied) that
rigid construction was a prerequisite for their (Mozilla's and Google's)
approval of TSYS's request.  Did I misread something?
 
From https://cabforum.org/pipermail/public/2016-July/008096.html
 
"Certificates whose contents are entirely predictable or in line with
precedent would also be acceptable; but it seemed like there were
several questions about that floating around, and doing the serial
numbers by strict construction makes them all moot. If you want to try
dealing with all the questions about the contents instead, you are
welcome to try."
 
Also, I don't see the relevance of "strong consensus".  AIUI, there must
be unanimous agreement.  If just one root program operator rejects
TSYS's request, then you can't issue the SHA-1 certs.  Similarly, if
just one root program operator says rigidly constructed serial numbers
are required, then you can't use random serial numbers.


-- 
Erwann.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5725 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160727/05862628/attachment-0001.p7s>


More information about the Public mailing list