--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
Eran,
Thanks, I get the picture!
I also think "precertificate and issued certificate have the same serial number" is weird and strange, so this change is welcome.
2016年3月27日日曜日 6時58分01秒 UTC+9 Eran Messeri:
[+trans mailing list]The poison extension was removed because it is no longer necessary - the purpose was to allow creating a pre-certificate in the form of an unusable X.509 certificate (the poison extension is a critical extension that made an otherwise valid X.509 certificate unusable).In 6962-bis the pre-certificate is encoded using Cryptographic Message Syntax (CMS), not X.509 certificates, so the poison extension is no longer needed.One reason for the precertificate format transition I recall is concerns that issuing two X.509 certificates with the same serial number (even though one of them is unusable) is against the CA/Browsers forum Baseline Requirements.The related discussions can be found in the trans mailing list: https://www.ietf.org/mailman/listinfo/transHope this helps,Eran
On Sat, Mar 26, 2016 at 5:49 AM, Yusuke OSUMI <ozum...@gmail.com> wrote:
Hi,I read rfc6962-bis, and found that description of "Poison Extension (OID 1.3.6.1.4.1.11129.2.4.3)" has disappeared.I want to view a discussion about this issue(and want to know the reason why it disappeard), so can I get URLs about the discussion?Thanks,Yusuke
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
On 27 March 2016 at 08:32, Yusuke OSUMI <ozum...@gmail.com> wrote:Eran,
Thanks, I get the picture!
I also think "precertificate and issued certificate have the same serial number" is weird and strange, so this change is welcome.Note that the precertificate still has the same serial number as the certificate. Its just that it is not a certificate anymore.
2016年3月27日日曜日 6時58分01秒 UTC+9 Eran Messeri:
[+trans mailing list]The poison extension was removed because it is no longer necessary - the purpose was to allow creating a pre-certificate in the form of an unusable X.509 certificate (the poison extension is a critical extension that made an otherwise valid X.509 certificate unusable).In 6962-bis the pre-certificate is encoded using Cryptographic Message Syntax (CMS), not X.509 certificates, so the poison extension is no longer needed.One reason for the precertificate format transition I recall is concerns that issuing two X.509 certificates with the same serial number (even though one of them is unusable) is against the CA/Browsers forum Baseline Requirements.The related discussions can be found in the trans mailing list: https://www.ietf.org/mailman/listinfo/transHope this helps,Eran
On Sat, Mar 26, 2016 at 5:49 AM, Yusuke OSUMI <ozum...@gmail.com> wrote:
Hi,I read rfc6962-bis, and found that description of "Poison Extension (OID 1.3.6.1.4.1.11129.2.4.3)" has disappeared.I want to view a discussion about this issue(and want to know the reason why it disappeard), so can I get URLs about the discussion?Thanks,Yusuke
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
Ben,Oh, I misunderstanding little bit...To confirm my understanding, can I summary precertificate in rfc6962-bis below?* Precertificate and issued certificate has the same serial number.=> In this context, "serial number of precertificate" means the serial number of tbscertificate in precertificate.
* Old problem(RFC6962) is "There are two X.509 certificates with the same serial number".Now on rfc6962-bis, there are still two certificates with the same serial number. But one is encoded using X.509(to use for services), and another is encoded using CMS(precertificate).
* We don't regard precertificate as 'Certificate', because it is just a Cryptographic Message (based on RFC5652).
Thanks,
On Monday, March 28, 2016 at 3:18:50 AM UTC+9, Ben Laurie wrote:
On 27 March 2016 at 08:32, Yusuke OSUMI <ozum...@gmail.com> wrote:Eran,
Thanks, I get the picture!
I also think "precertificate and issued certificate have the same serial number" is weird and strange, so this change is welcome.Note that the precertificate still has the same serial number as the certificate. Its just that it is not a certificate anymore.
2016年3月27日日曜日 6時58分01秒 UTC+9 Eran Messeri:
[+trans mailing list]The poison extension was removed because it is no longer necessary - the purpose was to allow creating a pre-certificate in the form of an unusable X.509 certificate (the poison extension is a critical extension that made an otherwise valid X.509 certificate unusable).In 6962-bis the pre-certificate is encoded using Cryptographic Message Syntax (CMS), not X.509 certificates, so the poison extension is no longer needed.One reason for the precertificate format transition I recall is concerns that issuing two X.509 certificates with the same serial number (even though one of them is unusable) is against the CA/Browsers forum Baseline Requirements.The related discussions can be found in the trans mailing list: https://www.ietf.org/mailman/listinfo/transHope this helps,Eran
On Sat, Mar 26, 2016 at 5:49 AM, Yusuke OSUMI <ozum...@gmail.com> wrote:
Hi,I read rfc6962-bis, and found that description of "Poison Extension (OID 1.3.6.1.4.1.11129.2.4.3)" has disappeared.I want to view a discussion about this issue(and want to know the reason why it disappeard), so can I get URLs about the discussion?Thanks,Yusuke
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.