IETF Logo Mail Archive

Re: [Trans] Mutability of Certificate Signatures

Rob Stradling <rob.stradling@comodo.com> Wed, 19 July 2017 09:13 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AABF61277BB for <trans@ietfa.amsl.com>; Wed, 19 Jul 2017 02:13:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.19
X-Spam-Level:
X-Spam-Status: No, score=-4.19 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M-R4zXYVuFZ8 for <trans@ietfa.amsl.com>; Wed, 19 Jul 2017 02:13:41 -0700 (PDT)
Received: from mmextmx2.mcr.colo.comodoca.net (mmextmx2.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82BE9131C45 for <trans@ietf.org>; Wed, 19 Jul 2017 02:13:40 -0700 (PDT)
Received: (qmail 28104 invoked by uid 1004); 19 Jul 2017 09:13:38 -0000
Received: from rmdccgwarp1.reyn.mcr.dc.comodo.net (HELO maileu.comodo.net) (10.1.72.82) by mmextmx2.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Wed, 19 Jul 2017 10:13:38 +0100
Received: from [192.168.0.58] ([192.168.0.58]) by maileu.comodo.net (IceWarp 11.4.5.0 DEB8 x64) with ASMTP (SSL) id 201707191013376215; Wed, 19 Jul 2017 10:13:37 +0100
To: Andrew Ayer <agwa@andrewayer.name>, Eran Messeri <eranm@google.com>
Cc: "trans@ietf.org" <trans@ietf.org>
References: <20170528191028.20f285073eea33a3f23b6b5a@andrewayer.name> <20170703100241.9dd63b867d0181bae69a3999@andrewayer.name> <CALzYgEf5TnSSrkk0rP=OckLN_cgim2-M4fmnd70FavW8mG0yZA@mail.gmail.com> <20170718204256.d932dee67d792891bb20729e@andrewayer.name>
From: Rob Stradling <rob.stradling@comodo.com>
Message-ID: <6d7d81bc-dc28-884d-e684-840cca9a117f@comodo.com>
Date: Wed, 19 Jul 2017 10:13:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0
MIME-Version: 1.0
In-Reply-To: <20170718204256.d932dee67d792891bb20729e@andrewayer.name>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/LDOVnSFTwQBGAgtWDcuD2rPQq9A>
Subject: Re: [Trans] Mutability of Certificate Signatures
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 09:13:45 -0000

On 19/07/17 04:42, Andrew Ayer wrote:
<snip>
> To be clear, are you proposing a requirement that the chain always
> contain a certificate with the issuer's public key, even if the logged
> certificate is a trust anchor?  This would be a new requirement, as
> 6962-bis currently allows a non-self-signed trust anchor to be logged
> without a chain containing its issuer.
How about we revert to the RFC6962 requirement that only self-signed 
certificates may be trust anchors?

It would still be possible for an "intermediate CA" to be a trust 
anchor, since there's nothing to stop an "intermediate CA" from also 
self-certifying itself.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

v2.23.0 | Report a Bug | By Email