Ben,
On 3 October 2014 20:25, Stephen Kent<[email protected]> wrote:
Ben,
...
I have a suggested solution:
- require a CA submitting a pre-cert to assert one of the following:
1. no assertion is made wrt syntactic conformance to CABF
guudelines
2. the cert conforms to DV Guidelines <insert guideline version>
3. the cert conforms to EV guidelines <insert guideline version>
- require a log to include the CA assertion in its SCT, along with
one
of the following:
1. this log does not check cert syntax
2. this log cannot check the specified CABF Guidelne version
asserted by the CA
3. this log checked the cert against the CA's assertion and it
passed
4. this log checked the cert against the CA's assertion and it
failed
Presumably this would apply to certs as well as precerts, which is the
other reason rejecting isn't particularly helpful (certs are already
issued by the time they're logged!).
I'm confused by your comment. There is no "rejection" of a cert in the text
above.
That was the change I made to address the valid concerns that Rob and Rick
raised.
I was adding another valid concern to Rob and Rick's, it was not meant
to be a criticism of the above proposal.
Sorry, I didn't realize the intent of your comment. But, in any case,
my revised proposal addresses this concern as well.
If the cert failed checking it would still be logged, and an SCT issued,
but the fact that the syntax failed the checks would be noted in the SCT and
the log entry.
Sure, but the language proposed does not cover certs - they may not be
submitted by a CA and obviously they are not pre-certs.
Good point. I will revise the proposal to cover certs, as well as
pre-certs.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
