On Fri, Oct 17, 2014 at 02:51:14PM +0200, Linus Nordberg wrote: > 6962bis-4 says that logs may log and publish invalid certificates as > long as the chain ends in a known cert. It then lists three examples of > what can be accepted, all related to time.
[...] > Since the purpose of the log is to put light on bad certificates, would > it make sense to instead have text 1) specifying a minimum of checks to > be done (i.e. the chain) and 2) encouraging logging and publishing of > all other certificates? IMO, yes. My opinion is that a log which rejects certificates for reasons other than those required to maintain the operation of the log (ie spamming) is worthless -- you're *not* getting a complete view of what a CA intended to issue, you're getting some sort of filtered, sanitised view of it. > On a minor note, I think that "trusted" in the very first sentence > should be changed to "known. Should I use the issue tracker? I've been advised that for small, non-controversial changes, submitting a pull request direct to the github repo is fine. - Matt _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
