Re: [Trans] path validation

Matt Palmer <mpalmer@hezmatt.org> Tue, 30 September 2014 00:55 UTC

Return-Path: <mpalmer@hezmatt.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 088AD1A0009 for <trans@ietfa.amsl.com>; Mon, 29 Sep 2014 17:55:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.287
X-Spam-Level:
X-Spam-Status: No, score=-1.287 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQvHI__zGdhA for <trans@ietfa.amsl.com>; Mon, 29 Sep 2014 17:55:27 -0700 (PDT)
Received: from mail.hezmatt.org (sasquatch.hezmatt.org [70.85.129.92]) by ietfa.amsl.com (Postfix) with ESMTP id DC2D81A0008 for <trans@ietf.org>; Mon, 29 Sep 2014 17:55:27 -0700 (PDT)
Received: from mistress.home.hezmatt.org (unknown [10.6.66.6]) by mail.hezmatt.org (Postfix) with ESMTP id BF775282E0B for <trans@ietf.org>; Tue, 30 Sep 2014 10:55:26 +1000 (EST)
Received: by mistress.home.hezmatt.org (Postfix, from userid 1000) id DD208A021C; Tue, 30 Sep 2014 10:55:24 +1000 (EST)
Date: Tue, 30 Sep 2014 10:55:24 +1000
From: Matt Palmer <mpalmer@hezmatt.org>
To: trans@ietf.org
Message-ID: <20140930005524.GP16215@hezmatt.org>
References: <54296FB2.1060109@bbn.com> <4262AC0DB9856847A2D00EF817E81139233695@scygexch10.cygnacom.com> <544B0DD62A64C1448B2DA253C011414607D1629838@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <4262AC0DB9856847A2D00EF817E8113923370C@scygexch10.cygnacom.com> <544B0DD62A64C1448B2DA253C011414607D162989C@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <544B0DD62A64C1448B2DA253C011414607D162989C@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/HAFFCJt0yaEOOmbEmM-HLCM5WSg
Subject: Re: [Trans] path validation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2014 00:55:30 -0000

On Mon, Sep 29, 2014 at 12:26:47PM -0700, Rick Andrews wrote:
> Since it's not an absolute requirement at this point (either from CABF or
> from individual browsers' policies) I suggest that log servers cannot
> enforce the use of technical constraints in intermediate CAs.

Logs shouldn't be enforcing *anything*.  A log isn't a judge, it's a record. 
The only constraints on what should be rejected from being accepted by a
log should be those things which prevent abuse sufficient to render a log
unusable.

- Matt