Ben,
...
I have a suggested solution:
- require a CA submitting a pre-cert to assert one of the following:
1. no assertion is made wrt syntactic conformance to CABF guudelines
2. the cert conforms to DV Guidelines <insert guideline version>
3. the cert conforms to EV guidelines <insert guideline version>
- require a log to include the CA assertion in its SCT, along with one
of the following:
1. this log does not check cert syntax
2. this log cannot check the specified CABF Guidelne version
asserted by the CA
3. this log checked the cert against the CA's assertion and it
passed
4. this log checked the cert against the CA's assertion and it
failed
Presumably this would apply to certs as well as precerts, which is the
other reason rejecting isn't particularly helpful (certs are already
issued by the time they're logged!).
I'm confused by your comment. There is no "rejection" of a cert in the
text above.
That was the change I made to address the valid concerns that Rob and
Rick raised.
If the cert failed checking it would still be logged, and an SCT issued,
but the fact that the syntax failed the checks would be noted in the SCT and
the log entry.
Steve
p.s. I realize that one more log-assigned value is needed, i.e., the
CA asserted #1, so the log didn't perform any check in this case
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
