From: Stephen Kent <[email protected]> Date: Saturday, July 5, 2014 at 8:50 AM To: Ben Laurie <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [Trans] Using a Precertificate Signing Certificate to sign TBScertificates for CT
> > On 1 July 2014 18:34, Stephen Kent <[email protected]> ><mailto:[email protected]> wrote: > ... > >As you point out, the log can relax validation rules, which deals with >this problem (and we do, indeed, do that in our implementation). > > > > My comments noted that relaxing rules in an unspecified fashion >creates >potential >problems for those submitting pre-certs. The specific changes needed to >enable >acceptance oif pre-certs need to be spelled out. > > > > Hmm. What we do is check the signatures validate all the way up the >chain. That's it. I'm not sure we need anything tighter than that, so >I guess we could specify that? > > > Ok, that's what you do, but 5280 describes a long list of > cert path validation rules > and your doc just says that these can be relaxed. It does not > prohibit a log from > performing the full set dictated by PKIX and X.509 path validation > procedures, nor > does it provide guidance of which subset SHOULD/MUST be performed. > Absent such guidance > different log operators can legitimately perform different checks, > resulting in chaos. > Seems easy enough to specify and justify the relaxed rules (signature checking only) for this application but is it worth supporting the highlighting of errors, like name constraint violations, to draw the attention of log monitors? An indication could probably be represented as a CTExtension. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
