Russ,
Sorry I didn't get to this sooner, vacation, etc. I see that Rick
already replied, but for
completeness ...
...
Can't anyone build the certificate chain? Since the logs are posting
the supported trust anchors, anyone can build a chain for the end
entity certificate.
Anyone can build a cert chain that should be accepted by a log, if the
chain is "valid" relative to
one of the CAs for which the log says it will accept certs. I think this
is why Rick suggested that I
make the fist sentence of the second paragraph more general, which I have.
...
Alternatively, a log could check to see if the reported certificate is
already present, and if so, return the older entry to the party that
reports the certificate. I seem to recall reading this idea at some
point, buy I admit I did not look into the current I-D to see if that
was where i read it.
I believe you're correct, i.e., a log may, at its discretion, return the
SCT it generated previouslythen
if a duplicate cert is submitted.
...
If the log performs some validation checks, are you suggesting that a
relying party can leverage the work already done by the log? If so,
it puts the log checking at a different place in the certificate
validation than I was imagining.
That's not what I meant to imply. I was saying that if an entity
submitting a cert to a log asserted
the type of cert, then a Monitor and/or a client knows what additional
checks it ought to perform,
based on the assertion. So, for example, if a client gets a cert that
the log entry and SCT say is
an S/MIME cert, but the cert has been submitted in a Web PKI context,
this might raise an alarm. Also if
a log states that it performed syntax checks for the indicated type of
cert, and a Monitor or client
performs the same checks and gets a different outcome, this should raise
doubts about the log.
Nonetheless, I guess a client might choose to rely on cert validation by
a log, although
one should do so only if one has confidence that the log (or a set of
logs that all agree the
cert was valid) can do a better job than the client. Given experience
with some browsers, that
might not be a bad idea ;-).
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
