Matt,
Logs shouldn't be enforcing *anything*. A log isn't a judge, it's a
record. The only constraints on what should be rejected from being
accepted by a log should be those things which prevent abuse
sufficient to render a log unusable.
That's a very simple, strong assertion, but it isn't accompanied by a
rationale.
I agree that the current description of a log focuses on recording cert
info, but it already includes an element of "judgement" since it has
a list of the root CAs that must anchor the cert chains that it will accept.
If we stick with the detection of mis-issuance rationale that the document
asserts as the goal for CT, and if we define mis-issuance as broadly as Ben
suggested in response to my first cut at a defintiion, with his specific
references
to EV certs and key sizes, then we have to check certs against those
criteria at some
place in the system.
The current design appears to call for Monitors to do this, and one
could stick
with that approach. The description of Monitors says that " They
alsowatch for
certificates of interest." I interpret this to mean that a Monitor has a
list
of certs, or of Subject names and keys, that it is "protecting." If a
Subject
does not run its own Monitor, and it it doesn't arrange for some other
entity
to act as a Monitor to protect the Subject's certs, then no checking for
syntactic mis-issuance will take place. That observation motivates
exploring the
notion of having logs perform the function. By so doing we have an
opportunity to
perform detection of syntactic mis-issuance for every logged cert, a
service to
the broad Web PKI community.
It seems as though some are arguing that if a log rejects certs that
fail to meet
the syntactic criteria this is a bad thing, because it will deter
logging of certs.
I thought the CT design makes a counter argument, i.e., that CAs are
motivated
to log certs because, over time, TLS clients will reject connections to
servers
when there is no evidence of an SCT. if this argument is true, then
having logs
check for syntactic mis-issuance is a good thing. If the argument is not
true,
it should not be part of the "why CT will work" description.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
