As long as it chains to a valid root, wouldn't we want to log it? So we become aware of previously unknown intermediates?
Paul Sent from my iPhone > On Jun 4, 2016, at 15:01, Peter Bowen <[email protected]> wrote: > > Section 5.1 has a requirement that a log MUST only accept certificates > (or precertificates) that include a full valid chain to a trusted root > in the submission. This appears to exclude any option for a log to > have a priori knowledge of intermediate CAs and accept submissions > with incomplete chains. It also means that the log cannot decide to > accept certificates that are incorrectly constructed by the CA. > > I would suggest the following alternative for the first paragraph of 5.1: > > Logs SHOULD verify that each submitted certificate or precertificate > has a valid signature chain to an accepted trust anchor, using the > chain of intermediate CA certificates provided by the submitter. Logs > MUST accept certificates and precertificates that are fully valid > according to <xref target="RFC5280">RFC 5280</xref> verification rules > and are submitted with such a chain. Logs MAY accept certificates and > precertificates that have expired, are not yet valid, have been > revoked, or are otherwise not fully valid according to RFC 5280 > verification rules in order to accommodate quirks of CA > certificate-issuing software. However, logs MUST reject submissions > without a known valid signature chain to an accepted trust anchor. > Logs SHOULD also reject precertificates that do not conform to the > requirements in <xref target="Precertificates"/>. Logs MAY accept > objects other than certificates and precertificates that have a known > valid signature chain to an accepted trust anchor. > > Thanks, > Peter > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
