I-D Action: draft-kent-trans-extended-validation-cert-checks-01.txt

internet-drafts@ietf.org Thu, 18 June 2015 00:15 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
Subject: I-D Action: draft-kent-trans-extended-validation-cert-checks-01.txt
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150618001550.9749.7853.idtracker@ietfa.amsl.com>
Date: Wed, 17 Jun 2015 17:15:50 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/i-d-announce/jRvFAq4Rn3VvUJfosYpwqWKdcCU>
Reply-To: internet-drafts@ietf.org

A New Internet-Draft is available from the on-line Internet-Drafts directories.


        Title           : Syntactic and Semantic Checks for Extended Validation Certificates
        Authors         : Stephen Kent
                          Rick Andrews
	Filename        : draft-kent-trans-extended-validation-cert-checks-01.txt
	Pages           : 9
	Date            : 2015-06-17

Abstract:
   Certificate Transparency (CT) [RFC6962-bis] is a system for publicly
   logging the existence of X.509 certificates as they are issued or
   observed.  The logging mechanism allows anyone to audit certification
   authority (CA) activity and detect the issuance of "suspect"
   certificates.  Detecting mis-issuance of certificates is a primary
   goal of CT.

   A certificate is considered to be mis-issued if it fails to meet
   syntactic and/or semantic criteria associated with the type of
   certificate being issued.  Mis-issuance can be detected by CT log
   servers, whose feedback to a CA could prompt the CA to not issue a
   suspect certificate.  (Preventing the mis-issuance of such a
   certificate is preferable to issuing it and detecting it later.)

   Compliant CT log servers could offer these checks to a CA submitting
   a pre-certificate to be logged.  These checks are intended to be used
   in an environment in which CAs optionally assert the version of the
   EV guidelines to which the submitted pre-certificate purportedly
   conforms.  Log servers would then perform the checks of supported
   [CABF-EV] versions and include the CA's assertion and the log
   server's result in its Signed Certificate Timestamp (SCT).

   Monitors can also perform checks to detect suspect certificates on
   behalf of certificate Subjects.  Checks performed by a Monitor also
   serve to double check log servers that claim to have checked a
   certificate, to identify those that are not doing the checks
   properly, e.g., because of errors, compromise, or conspiracy.  This
   provides Monitors and CT clients with additional information when
   choosing which logs to use.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-kent-trans-extended-validation-cert-checks/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-kent-trans-extended-validation-cert-checks-01

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-kent-trans-extended-validation-cert-checks-01


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

I-D Action: draft-kent-trans-extended-validation-… internet-drafts