Re: [Trans] Relaxing section 5.1

Peter Bowen <> Thu, 03 November 2016 14:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BCF9F129A16 for <>; Thu, 3 Nov 2016 07:01:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1zeRUry7rr8P for <>; Thu, 3 Nov 2016 07:01:24 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A43C8129A25 for <>; Thu, 3 Nov 2016 07:01:04 -0700 (PDT)
Received: by with SMTP id v84so88248910oie.3 for <>; Thu, 03 Nov 2016 07:01:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VDp0MlYTtzdFRFmRV/GfgaDkrm9m48vDZdMT61Q5RuM=; b=I0KEap/RSHm6kLT3qMA2ZjSDgsazF/FJuHjAUKjuJ+t6nHczdgqY3vn1wGSYvR2CJ6 ci7wXvnFFZe4aNsdFaJXpFEPRTfrxPAnPamRtYvwIjdcwPxBgW67rcTCdTwW8UBwlNKu F8WwKeOZ5bC28P1zQn5AiYT1F7GidVP2T2fySnpHIz60flR7lbhQX9fS0NkEpvZbKwnG HeSQ0sD8IB8WKTXJlE09ek8WzPfPz4qVvZUv8ip240dRJl6gf2kWRsi4kpl3Zm5gqe43 r0ez40mFcajS2rZ9eOCCqAm+D0qE/qRh4X5v/IetCbt91gTEC7dG+CNKLbvQH+/RCrUt iVtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VDp0MlYTtzdFRFmRV/GfgaDkrm9m48vDZdMT61Q5RuM=; b=EopM6ABU58rromuCNiiUy7ojho24PQyZ1pWmUEFlovg3YtThzYAWmq12zuWLL4Dvhh AfG7EiYXFoZPON7RsJ6dpDQ8+qVy93FUVLTaOaRiYD+v5WDSldCtUSOEAgeMi5td+pS3 nubzzmW+wlaOLVYsiGLeqvicLBD7+sHcwHTHl43Lak8ZGqIxvS/Cz+jWatr80UUkPya3 UPpcpH7ZOzf/QRLzbPtMJPSxNGZq0d9V9nLxUQjr+qW+H3HcX19R/pUom+KjcL5i9LLV 3TuHXCjELu7bSVFubAhW3sSwfcPSkhtnd6/PxXiDdyj8REaFYPSwRCNhRuonFppF3TGP TW4g==
X-Gm-Message-State: ABUngvcNUE1LQY6wBDiWiHbESCsr2U1syIlA63lcNHgDz+o5E9LoeP6mCo/TiMbt5e6FYi4NJoglRfct4NIyJQ==
X-Received: by with SMTP id i205mr8535069iof.167.1478181663786; Thu, 03 Nov 2016 07:01:03 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 3 Nov 2016 07:01:02 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
From: Peter Bowen <>
Date: Thu, 03 Nov 2016 07:01:02 -0700
Message-ID: <>
To: Ben Laurie <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: Melinda Shore <>, "" <>
Subject: Re: [Trans] Relaxing section 5.1
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Nov 2016 14:01:26 -0000

On Thu, Nov 3, 2016 at 3:31 AM, Ben Laurie <> wrote:
> On 2 November 2016 at 14:08, Peter Bowen <> wrote:
>> By requiring all logs MUST accept any certificate that chains to a
>> root in the log's root list, 6962bis fails to allow log operators to
>> mitigate any Denial of Service attacks mounted by attempting to log
>> massive numbers of certificates that are not relevant to the log
>> scope.  For example, many existing certification authorities issue
>> both server authentication certificates and certificates for personal
>> identification.  For some roots, acquiring large numbers of these is
>> relatively easy (see discussion of fetching millions of Taiwanese
>> Citizen Digital Certificates in
>>  As written
>> today, a log MUST accept these.  There is no option for a log to
>> require that all certificates must meet some usability criteria.
> The requirement is to reject certs that don't meet the criteria, not
> to accept those that do.

So the root list is just "advisory" -- I could include roots where my
local policy results in rejecting all certs chained to that root?  Or
I could follow Brian's template and reject all and later add to the
log via some other API (or have some rule like "client IP address must
be" in order to get a cert logged)?  These would all be
6962bis compliant?