IETF Logo Mail Archive

Re: [Trans] Certificate verification

Linus Nordberg <linus@nordu.net> Mon, 20 October 2014 21:33 UTC

Return-Path: <linus@nordu.net>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E4A1ACEF4 for <trans@ietfa.amsl.com>; Mon, 20 Oct 2014 14:33:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.871
X-Spam-Level:
X-Spam-Status: No, score=-0.871 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4KSd4HovpDg1 for <trans@ietfa.amsl.com>; Mon, 20 Oct 2014 14:33:30 -0700 (PDT)
Received: from e-mailfilter02.sunet.se (e-mailfilter02.sunet.se [IPv6:2001:6b0:8:2::202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D4EA1A00B7 for <trans@ietf.org>; Mon, 20 Oct 2014 14:33:29 -0700 (PDT)
Received: from smtp1.nordu.net (smtp1.nordu.net [IPv6:2001:948:4:6::32]) by e-mailfilter02.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id s9KLXRwq022458 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 20 Oct 2014 23:33:27 +0200
Received: from kerio.nordu.net (kerio.nordu.net [109.105.110.42]) by smtp1.nordu.net (8.14.7/8.14.7) with ESMTP id s9KLXNHR022277 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 20 Oct 2014 21:33:26 GMT
VBR-Info: md=nordu.net; mc=all; mv=swamid.se
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nordu.net; s=default; t=1413840806; bh=bPMIP5/Z4N5lED4ctUgdL4l4OD4H0Dv2oCB63m6rmhs=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=cLAlI8yELdo9ZR8VLxZu+zTmEluRn9iJukvW84sgebx3UWPIeMnN/IjKHcwAw3qur 543y05bVJVDIb2003KWzC3oFEdhs5rPK4Rh8bdyWyhb2KtvHAcfbrnT0tz7NXqbGyX 5u6EleuAMUmefs4eWpvxrpRkjYu6b+DL3torjTok=
X-Footer: bm9yZHUubmV0
Received: from flogsta ([193.10.5.129]) (authenticated user linus@nordu.net) by kerio.nordu.net (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Mon, 20 Oct 2014 23:33:23 +0200
From: Linus Nordberg <linus@nordu.net>
To: Paul Wouters <paul@nohats.ca>
Organization: NORDUnet A/S
References: <871tq6uaf1.fsf@nordberg.se> <CABrd9STBA9jh6oHXBzEgUD73rWDRbgrFZc69H5tHOzD4Cw=WHg@mail.gmail.com> <87ppdmhqg7.fsf@nordberg.se> <alpine.LFD.2.10.1410201340380.1071@bofh.nohats.ca>
Date: Mon, 20 Oct 2014 23:33:51 +0200
In-Reply-To: <alpine.LFD.2.10.1410201340380.1071@bofh.nohats.ca> (Paul Wouters's message of "Mon, 20 Oct 2014 13:44:57 -0400 (EDT)")
Message-ID: <87zjcqjuio.fsf@nordberg.se>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: CanIt (www . roaringpenguin . com)
X-Scanned-By: MIMEDefang 2.74 on 109.105.111.32
X-p0f-Info: os=unknown unknown, link=Ethernet or modem
X-CanIt-Geo: ip=109.105.110.42; country=SE; latitude=62.0000; longitude=15.0000; http://maps.google.com/maps?q=62.0000,15.0000&z=6
X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default)
X-Canit-Stats-ID: 0aN5xxrTC - cbe5064c2d83 - 20141020
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/KeQhbXQIpfWn0l6egrdeYXKqLGc
Cc: trans@ietf.org
Subject: Re: [Trans] Certificate verification
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 21:33:31 -0000

Paul Wouters <paul@nohats.ca> wrote
Mon, 20 Oct 2014 13:44:57 -0400 (EDT):

| On Mon, 20 Oct 2014, Linus Nordberg wrote:
| 
| as individual without chair hat...
| 
| >   Logs MUST verify that the submitted end-entity certificate or
| 
| > My intention was to make the specification less restrictive by changing
| >
| >                               Logs MAY accept certificates that have
| >   expired, are not yet valid, have been revoked, or are otherwise not
| >   fully valid according to X.509 verification rules in order to
| >   accommodate quirks of CA certificate-issuing software.
| 
| That seems to bring up the topic a bit too broadly I think? How about:

The text above is the current text in 6962bis-4.


| 	Logs MUST protect themselves against spam. They MAY require a
| 	fully validated X.509 certification chain to one of their configured
| 	trusted root CA's.

This may be OK for the spam issue but certainly not for attribution.

My current standpoint is that I think logs MUST perform signature chain
validation up to any root in a set of known root certs, chosen by the
log operator, and MUST NOT reject a certificate for any other reasons.

This effectively rules out self-signed certs, which I dislike, but
that is not a change from current text.

Maybe I'm just rehashing some of the points in the "path validation"
thread (started 2014-09-29). A summary of points in that thread by
someone who understands that discussion might help here. Afraid I was
lost pretty early.

v2.23.0 | Report a Bug | By Email