Section 5.1 has a requirement that a log MUST only accept certificates (or precertificates) that include a full valid chain to a trusted root in the submission. This appears to exclude any option for a log to have a priori knowledge of intermediate CAs and accept submissions with incomplete chains. It also means that the log cannot decide to accept certificates that are incorrectly constructed by the CA.
I would suggest the following alternative for the first paragraph of 5.1: Logs SHOULD verify that each submitted certificate or precertificate has a valid signature chain to an accepted trust anchor, using the chain of intermediate CA certificates provided by the submitter. Logs MUST accept certificates and precertificates that are fully valid according to <xref target="RFC5280">RFC 5280</xref> verification rules and are submitted with such a chain. Logs MAY accept certificates and precertificates that have expired, are not yet valid, have been revoked, or are otherwise not fully valid according to RFC 5280 verification rules in order to accommodate quirks of CA certificate-issuing software. However, logs MUST reject submissions without a known valid signature chain to an accepted trust anchor. Logs SHOULD also reject precertificates that do not conform to the requirements in <xref target="Precertificates"/>. Logs MAY accept objects other than certificates and precertificates that have a known valid signature chain to an accepted trust anchor. Thanks, Peter _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
