Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 text re log certvalidation is ambiguous

Rob Stradling <> Mon, 06 July 2015 15:15 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 531B11A8992 for <>; Mon, 6 Jul 2015 08:15:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Oszi6wzFuPz1 for <>; Mon, 6 Jul 2015 08:15:18 -0700 (PDT)
Received: from ( [IPv6:2a02:1788:402:c00::c0a8:9cd5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A6A5D1A8989 for <>; Mon, 6 Jul 2015 08:15:17 -0700 (PDT)
Received: (qmail 16141 invoked by uid 1004); 6 Jul 2015 15:15:15 -0000
Received: from (HELO ( by (qpsmtpd/0.84) with ESMTP; Mon, 06 Jul 2015 16:15:15 +0100
Received: (qmail 3646 invoked by uid 1000); 6 Jul 2015 15:15:15 -0000
Received: from (HELO []) ( (smtp-auth username rob, mechanism plain) by (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Mon, 06 Jul 2015 16:15:15 +0100
Message-ID: <>
Date: Mon, 06 Jul 2015 16:15:15 +0100
From: Rob Stradling <>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Stephen Kent <>,
References: <><> <>
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 text re log certvalidation is ambiguous
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 Jul 2015 15:15:20 -0000

On 06/07/15 16:06, Stephen Kent wrote:
> If there is no standard for the validation checks logs perform, because
> of a desire to accept malformed certs from (sloppy) CAs, then a CA cannot
> know whether its submission will be rejected by a log.

Huh?  Why can't the (potentially sloppy) CA call add-chain (or 
add-pre-chain) and see what happens?

Either the log will return an SCT (in which case it accepted the 
submission), or it won't (in which case it rejected the submission).

> The alternative is to specify a way for
> each log to specify what checks it performs, and to publish that the
> same way other log info is advertised.
> Steve
>> #73: Section 3 text re log cert validation is ambiguous
>> Comment (by
>>   On the issue of specifying deviations, I am not sure how that could
>>   realistically be done. For example, our logs will permit whatever
>>   deviations OpenSSL permits. I don't think anyone knows precisely what
>>   those are, and I'm prepared to bet they vary between versions.
>>   Even leaving that aside, experience suggests we have to permit
>> deviations
>>   in order to admit incorrect certificates that are accepted by
>> browsers. I
>>   don't think we can anticipate what all of those are.
> _______________________________________________
> Trans mailing list

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.