Currently 6962bis section 5.1 says: "Logs MUST verify that each submitted certificate or precertificate has a valid signature chain to an accepted trust anchor, using the chain of intermediate CA certificates provided by the submitter. [...] logs MUST reject submissions without a valid signature chain to an accepted trust anchor. Logs MUST also reject precertificates that do not conform to the requirements in Section 3.2."
Is there a reason this is enshrined as a MUST? It seems like it should be up to the log operator to determine their policy. For example, a log operator might want to add a feature to accept certificates which have incomplete chains and have the log add the missing links from data it already has or a log operator may want to allow logging of certificates that are also published for DANE with TLSA records with certificate usage 2 or 3. It feels very restrictive to require that every log only accept certificates that follow the traditional hierarchical PKI model. I can see value in providing guidance of what a log MAY want to do. However requiring such seems to limit the potential of transparency in undesirable ways. Thanks, Peter _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
