Paul Wouters <[email protected]> wrote Mon, 20 Oct 2014 13:44:57 -0400 (EDT):
| On Mon, 20 Oct 2014, Linus Nordberg wrote: | | as individual without chair hat... | | > Logs MUST verify that the submitted end-entity certificate or | | > My intention was to make the specification less restrictive by changing | > | > Logs MAY accept certificates that have | > expired, are not yet valid, have been revoked, or are otherwise not | > fully valid according to X.509 verification rules in order to | > accommodate quirks of CA certificate-issuing software. | | That seems to bring up the topic a bit too broadly I think? How about: The text above is the current text in 6962bis-4. | Logs MUST protect themselves against spam. They MAY require a | fully validated X.509 certification chain to one of their configured | trusted root CA's. This may be OK for the spam issue but certainly not for attribution. My current standpoint is that I think logs MUST perform signature chain validation up to any root in a set of known root certs, chosen by the log operator, and MUST NOT reject a certificate for any other reasons. This effectively rules out self-signed certs, which I dislike, but that is not a change from current text. Maybe I'm just rehashing some of the points in the "path validation" thread (started 2014-09-29). A summary of points in that thread by someone who understands that discussion might help here. Afraid I was lost pretty early. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
