If there is no standard for the validation checks logs perform, because
of a
desire to accept malformed certs from (sloppy) CAs, then a CA cannot
know whether
its submission will be rejected by a log. The alternative is to specify
a way for
each log to specify what checks it performs, and to publish that the
same way other
log info is advertised.
Steve
#73: Section 3 text re log cert validation is ambiguous
Comment (by [email protected]):
On the issue of specifying deviations, I am not sure how that could
realistically be done. For example, our logs will permit whatever
deviations OpenSSL permits. I don't think anyone knows precisely what
those are, and I'm prepared to bet they vary between versions.
Even leaving that aside, experience suggests we have to permit deviations
in order to admit incorrect certificates that are accepted by browsers. I
don't think we can anticipate what all of those are.
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
