On 20 December 2012 14:06, Rob Stradling <rob.stradl...@comodo.com> wrote: > On 20/12/12 11:39, Ben Laurie wrote: >> >> On 20 December 2012 11:38, Ben Laurie <b...@google.com> wrote: >>> >>> On 20 December 2012 11:28, Rob Stradling <rob.stradl...@comodo.com> >>> wrote: >>>> >>>> On 20/12/12 11:20, Ben Laurie wrote: >>>>> >>>>> >>>>> On 20 December 2012 09:50, Stephen Farrell <stephen.farr...@cs.tcd.ie> >>>>> wrote: >>>>>> >>>>>> >>>>>> - Having a thing with basicConstraints.cA==false issue precerts >>>>>> seems wrong, but that may be better discussed during IETF LC so >>>>>> I'm not requesting a change now. >>>>> >>>>> >>>>> >>>>> This was deliberate to avoid the precertificate being a valid >>>>> certificate, as requested by CAs. >>>> >>>> >>>> >>>> Ben, doesn't the new poison critical extension requirement mean that >>>> this >>>> Basic Constraints hack is no longer needed? >>>> >>>> The poison critical extension means that a precert cannot be used as a >>>> cert. >>>> Is that not invalid enough?!? >>> >>> >>> Probably. >> >> >> I've removed it. > > > Ben, I see that "(note that the log may relax standard validation rules to > allow this, so long as the final signed certificate will be valid)" is still > present in -05. I think I see why... > > Am I correct that the Issuer and Authority Key Identifier fields in a > precertificate MUST match the Subject and Subject Key Identifier fields in > "the CA certificate that will sign the final certificate", even if the > precertificate is actually signed by the private key that corresponds to a > Precertificate Signing Certificate? > > If yes, then I think it might be worth emphasizing this point.
Right now the log actually replaces these with the right things, rather than requiring the pre-cert to contain them. But again, we are happy to be guided by CAs on the best thing to do here. The reason for that note was actually for things like path length constraints that might get violated by inserting an extra intermediate. > > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
