On 19/12/12 12:47, Stephen Farrell wrote:
<snip>
The 2nd part of the comment was that if you do need
to change the precertificate_chain idea (if the
issuing CA cannot create a precert issuer under itself
e.g. because of a pathLenConstraint) then the
PrecertChainEntry syntax might also have to change.
I dunno if that'd be a real problem now, or only
later, or is just theoretical but I'd say there
will be CAs that can issue TLS server certs but
that cannot issue a sub-ca cert for precertificates.
Ben, you said to me privately a couple of months ago that you would be
happy to support the option of having each pre-cert signed directly by
the same root/intermediate CA that will sign the final cert.
Are you still happy to support this option?
IMHO, having to include a Precertificate Signing Certificate in the
precert chain represents unnecessary hassle.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
