Why "Poison Extension" disappeared in rfc6962-bis?

132 views
Skip to first unread message

Yusuke OSUMI

unread,
Mar 26, 2016, 7:15:47 AM3/26/16
to certificate-transparency
Hi, 

I read rfc6962-bis, and found that description of "Poison Extension (OID 1.3.6.1.4.1.11129.2.4.3)" has disappeared.
I want to view a discussion about this issue(and want to know the reason why it disappeard), so can I get URLs about the discussion?

Thanks,
Yusuke

Eran Messeri

unread,
Mar 26, 2016, 5:58:01 PM3/26/16
to certificate-...@googlegroups.com, tr...@ietf.org
[+trans mailing list]
The poison extension was removed because it is no longer necessary - the purpose was to allow creating a pre-certificate in the form of an unusable X.509 certificate (the poison extension is a critical extension that made an otherwise valid X.509 certificate unusable).

In 6962-bis the pre-certificate is encoded using Cryptographic Message Syntax (CMS), not X.509 certificates, so the poison extension is no longer needed.

One reason for the precertificate format transition I recall is concerns that issuing two X.509 certificates with the same serial number (even though one of them is unusable) is against the CA/Browsers forum Baseline Requirements. 
The related discussions can be found in the trans mailing list: https://www.ietf.org/mailman/listinfo/trans

Hope this helps,
Eran

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Yusuke OSUMI

unread,
Mar 27, 2016, 3:32:37 AM3/27/16
to certificate-transparency, tr...@ietf.org
Eran,

Thanks, I get the picture!
I also think "precertificate and issued certificate have the same serial number" is weird and strange, so this change is welcome.


2016年3月27日日曜日 6時58分01秒 UTC+9 Eran Messeri:
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.

Ben Laurie

unread,
Mar 27, 2016, 2:18:50 PM3/27/16
to certificate-...@googlegroups.com, tr...@ietf.org
On 27 March 2016 at 08:32, Yusuke OSUMI <ozum...@gmail.com> wrote:
Eran,

Thanks, I get the picture!
I also think "precertificate and issued certificate have the same serial number" is weird and strange, so this change is welcome.

Note that the precertificate still has the same serial number as the certificate. Its just that it is not a certificate anymore.
 


2016年3月27日日曜日 6時58分01秒 UTC+9 Eran Messeri:
[+trans mailing list]
The poison extension was removed because it is no longer necessary - the purpose was to allow creating a pre-certificate in the form of an unusable X.509 certificate (the poison extension is a critical extension that made an otherwise valid X.509 certificate unusable).

In 6962-bis the pre-certificate is encoded using Cryptographic Message Syntax (CMS), not X.509 certificates, so the poison extension is no longer needed.

One reason for the precertificate format transition I recall is concerns that issuing two X.509 certificates with the same serial number (even though one of them is unusable) is against the CA/Browsers forum Baseline Requirements. 
The related discussions can be found in the trans mailing list: https://www.ietf.org/mailman/listinfo/trans

Hope this helps,
Eran
On Sat, Mar 26, 2016 at 5:49 AM, Yusuke OSUMI <ozum...@gmail.com> wrote:
Hi, 

I read rfc6962-bis, and found that description of "Poison Extension (OID 1.3.6.1.4.1.11129.2.4.3)" has disappeared.
I want to view a discussion about this issue(and want to know the reason why it disappeard), so can I get URLs about the discussion?

Thanks,
Yusuke

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.

Yusuke OSUMI

unread,
Mar 28, 2016, 11:24:53 AM3/28/16
to certificate-transparency, tr...@ietf.org
Ben,

Oh, I misunderstanding little bit...
To confirm my understanding, can I summary precertificate in rfc6962-bis below?

* Precertificate and issued certificate has the same serial number.
 => In this context, "serial number of precertificate" means the serial number of tbscertificate in precertificate.

* Old problem(RFC6962) is "There are two X.509 certificates with the same serial number".
Now on rfc6962-bis, there are still two certificates with the same serial number. But one is encoded using X.509(to use for services), and another is encoded using CMS(precertificate).

* We don't regard precertificate as 'Certificate', because it is just a Cryptographic Message (based on RFC5652).

Thanks,


On Monday, March 28, 2016 at 3:18:50 AM UTC+9, Ben Laurie wrote:
On 27 March 2016 at 08:32, Yusuke OSUMI <ozum...@gmail.com> wrote:
Eran,

Thanks, I get the picture!
I also think "precertificate and issued certificate have the same serial number" is weird and strange, so this change is welcome.

Note that the precertificate still has the same serial number as the certificate. Its just that it is not a certificate anymore.
 


2016年3月27日日曜日 6時58分01秒 UTC+9 Eran Messeri:
[+trans mailing list]
The poison extension was removed because it is no longer necessary - the purpose was to allow creating a pre-certificate in the form of an unusable X.509 certificate (the poison extension is a critical extension that made an otherwise valid X.509 certificate unusable).

In 6962-bis the pre-certificate is encoded using Cryptographic Message Syntax (CMS), not X.509 certificates, so the poison extension is no longer needed.

One reason for the precertificate format transition I recall is concerns that issuing two X.509 certificates with the same serial number (even though one of them is unusable) is against the CA/Browsers forum Baseline Requirements. 
The related discussions can be found in the trans mailing list: https://www.ietf.org/mailman/listinfo/trans

Hope this helps,
Eran
On Sat, Mar 26, 2016 at 5:49 AM, Yusuke OSUMI <ozum...@gmail.com> wrote:
Hi, 

I read rfc6962-bis, and found that description of "Poison Extension (OID 1.3.6.1.4.1.11129.2.4.3)" has disappeared.
I want to view a discussion about this issue(and want to know the reason why it disappeard), so can I get URLs about the discussion?

Thanks,
Yusuke

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.

Ben Laurie

unread,
Mar 29, 2016, 7:38:11 AM3/29/16
to certificate-...@googlegroups.com, tr...@ietf.org
On 28 March 2016 at 16:24, Yusuke OSUMI <ozum...@gmail.com> wrote:
Ben,

Oh, I misunderstanding little bit...
To confirm my understanding, can I summary precertificate in rfc6962-bis below?

* Precertificate and issued certificate has the same serial number.
 => In this context, "serial number of precertificate" means the serial number of tbscertificate in precertificate.

Correct.
 

* Old problem(RFC6962) is "There are two X.509 certificates with the same serial number".
Now on rfc6962-bis, there are still two certificates with the same serial number. But one is encoded using X.509(to use for services), and another is encoded using CMS(precertificate).

Well, that means the second one is not a certificate.
 

* We don't regard precertificate as 'Certificate', because it is just a Cryptographic Message (based on RFC5652).

Exactly.
 

Thanks,


On Monday, March 28, 2016 at 3:18:50 AM UTC+9, Ben Laurie wrote:
On 27 March 2016 at 08:32, Yusuke OSUMI <ozum...@gmail.com> wrote:
Eran,

Thanks, I get the picture!
I also think "precertificate and issued certificate have the same serial number" is weird and strange, so this change is welcome.

Note that the precertificate still has the same serial number as the certificate. Its just that it is not a certificate anymore.
 


2016年3月27日日曜日 6時58分01秒 UTC+9 Eran Messeri:
[+trans mailing list]
The poison extension was removed because it is no longer necessary - the purpose was to allow creating a pre-certificate in the form of an unusable X.509 certificate (the poison extension is a critical extension that made an otherwise valid X.509 certificate unusable).

In 6962-bis the pre-certificate is encoded using Cryptographic Message Syntax (CMS), not X.509 certificates, so the poison extension is no longer needed.

One reason for the precertificate format transition I recall is concerns that issuing two X.509 certificates with the same serial number (even though one of them is unusable) is against the CA/Browsers forum Baseline Requirements. 
The related discussions can be found in the trans mailing list: https://www.ietf.org/mailman/listinfo/trans

Hope this helps,
Eran
On Sat, Mar 26, 2016 at 5:49 AM, Yusuke OSUMI <ozum...@gmail.com> wrote:
Hi, 

I read rfc6962-bis, and found that description of "Poison Extension (OID 1.3.6.1.4.1.11129.2.4.3)" has disappeared.
I want to view a discussion about this issue(and want to know the reason why it disappeard), so can I get URLs about the discussion?

Thanks,
Yusuke

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.

Yusuke OSUMI

unread,
Mar 29, 2016, 11:46:22 AM3/29/16
to certificate-transparency, tr...@ietf.org
Ben,

Thanks, I got it!
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages