Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 text re log certvalidation is ambiguous

Mon, 06 Jul 2015 08:16:25 -0700 

On 06/07/15 16:06, Stephen Kent wrote:

If there is no standard for the validation checks logs perform, because
of a desire to accept malformed certs from (sloppy) CAs, then a CA cannot
know whether its submission will be rejected by a log.



Huh?  Why can't the (potentially sloppy) CA call add-chain (or 
add-pre-chain) and see what happens?



Either the log will return an SCT (in which case it accepted the 
submission), or it won't (in which case it rejected the submission).



The alternative is to specify a way for
each log to specify what checks it performs, and to publish that the
same way other log info is advertised.

Steve



#73: Section 3 text re log cert validation is ambiguous


Comment (by [email protected]):

  On the issue of specifying deviations, I am not sure how that could
  realistically be done. For example, our logs will permit whatever
  deviations OpenSSL permits. I don't think anyone knows precisely what
  those are, and I'm prepared to bet they vary between versions.

  Even leaving that aside, experience suggests we have to permit
deviations
  in order to admit incorrect certificates that are accepted by
browsers. I
  don't think we can anticipate what all of those are.



_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans



--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
  3rd Floor, 26 Office Village, Exchange Quay,
  Trafford Road, Salford, Manchester M5 3EQ


This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.


_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans






















					Reply via email to