|
I can't speak for Steve, but I can
provide an example of a syntax error I encountered as a result of
"quirks of CA certificate-issuing software."
Many years ago when I was tasked to check whether certificates being issued by a CA were being issued in conformance with the appropriate profile, I discovered that the keyUsage extensions in the certificates were not DER encoded. The contents of the extension were correct according to BER, but not DER, and everything else about the certificate was correct. This must have been the fault of the developer of the CA software and not the company operating the CA. This would not be a security or trust failure by the CA and most clients wouldn't even notice the problem. There would, however, be the risk that some client software somewhere would not accept the certificate simply because of the encoding problem, so it was useful for the encoding problem to be identified and fixed. It's not clear, however, that this is the type of error draft-ietf-trans-threat-analysis has in mind. Section 1 of the document says: A certificate is characterized as syntactically mis-issued (aka erroneous) if it violates syntax constraints associated with the class of certificate that it purports to represent. Syntax constraints for certificates are established by certificate profiles, and typically are application-specific. Similarly, https://tools.ietf.org/html/draft-kent-trans-domain-validation-cert-checks makes no mention of encoding errors, such as the one I encountered. But, my guess would be that syntactic mis-issuance was intended to include encoding errors in addition to violations of application-specific certificate profiles. NOTE: I have no position of which entity, if any, should be checking for these types of errors, or on how the discovery of such errors should be handled if they are found. On 05/14/2018 10:06 PM, Ryan Sleevi wrote:
|
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
