On Wed, Nov 2, 2016 at 6:39 AM, Melinda Shore <[email protected]> wrote: > 6962-bis has completed working group last call. Minor editorial > changes are fine, but let's try to avoid major changes that would > require yet another WGLC. If there's a need for an additional > document dealing with operational considerations or operational > specifications, we can do that. If there's a major problem with > 6962-bis, we can deal with that as well, but it would need to > be serious (i.e. goes to the correctness of the specification, > fixes something that's broken, etc.).
I realize that 6962bis has passed WGLC, so I know there is a high bar for changes. However I think this might pass that bar. The highly restrictive language that imposes minimum policy for logs prevents interoperability with other IETF RFCs on the standards track very hard. 6962bis appears to assume that DANE (RFCs 7671 and 6698) will never be implemented and that concepts like RFC 6091 will never come to fruition. By requiring all logs MUST accept any certificate that chains to a root in the log's root list, 6962bis fails to allow log operators to mitigate any Denial of Service attacks mounted by attempting to log massive numbers of certificates that are not relevant to the log scope. For example, many existing certification authorities issue both server authentication certificates and certificates for personal identification. For some roots, acquiring large numbers of these is relatively easy (see discussion of fetching millions of Taiwanese Citizen Digital Certificates in https://smartfacts.cr.yp.to/smartfacts-20130916.pdf). As written today, a log MUST accept these. There is no option for a log to require that all certificates must meet some usability criteria. I agree that a future additional document dealing with operational considerations is fine, but as drafted today, 6962bis does not allow a log to implement these considerations. Thanks, Peter _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
