Re: [Trans] Certificate verification
Ben Laurie <benl@google.com> Mon, 20 October 2014 12:09 UTC
Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FFC61A7113 for <trans@ietfa.amsl.com>; Mon, 20 Oct 2014 05:09:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-wnRbEpOwbP for <trans@ietfa.amsl.com>; Mon, 20 Oct 2014 05:09:50 -0700 (PDT)
Received: from mail-qc0-x22f.google.com (mail-qc0-x22f.google.com [IPv6:2607:f8b0:400d:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 023E71A7D80 for <trans@ietf.org>; Mon, 20 Oct 2014 05:09:49 -0700 (PDT)
Received: by mail-qc0-f175.google.com with SMTP id b13so3943474qcw.34 for <trans@ietf.org>; Mon, 20 Oct 2014 05:09:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:references:from:date:message-id:subject:to :content-type; bh=pTVXkNGnuomvIAJGENNeMES8O8QCsXhGCjf8NgKGRdc=; b=YkY/4p5Bg+9BcMWVovyYos6LMNV3KlUx2z0APlt08p06by+A3cn4tCoPxajOgxypUu HT6kUNTYMIHRlTno9NUfo6T0tGdrIPXBIPpwbyOe4EZ21Zbmf89h2Cl9mj7WpNA2cL/I +l8P8Esr/wOMV5GLyXI7ovpxfK+qlGKS2vNrwULqPG595BKzIIDGmu894DZP3YU/2FQP uo6CQI48eGKpELTEozqHwC97a7p3ir0xY6sUQ77DJtLo09jgvx42hFTstudwaqLv73WX CD4DOLtwEAc4LK3NMAWWBfyzUhZyyNVXzJ/bKQLcmLVJll2Uur6Qo21FuzBkG+b9uFcA Vo1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:from:date:message-id :subject:to:content-type; bh=pTVXkNGnuomvIAJGENNeMES8O8QCsXhGCjf8NgKGRdc=; b=SVFbOVwqts2Hi1Yg0mjWKsVm7cOwgMlc0qhnT+4t32YWboXDCDrp7bNjCBSKcusqKm W8f5mjpui8f7zqYMWRgXLuHYDWX2Br3Zr2JJ+q3MGW6ZbTSpDnpQek/mwYOp1QWcQG3U PMSkLNwpWyB9NSO2kR/weptpUbnAO7X4RTc+kK9E/aL30JhJ7B3B0jpaYmnQj5jDTK+G AHB7x8n87LnWZagzgxTpcU8z2lRVUO73Xpee5Y2cpkas7/u8jkWraPt4XtWK2AAfcInt DoNfN+NDWLXRke3lrnK0bt7laLTDHcCv1c5ckc2vhATgAPT/Vkbt6kNNJKrJC2wyQJ6Q BJOQ==
X-Gm-Message-State: ALoCoQnPd8IRCgCXg851fhHH/iP1gSOpXs/AKkaT5/nCgX+8TJAOAhYU4W2D49SMWIbaf2jFWOa2
X-Received: by 10.140.104.200 with SMTP id a66mr19346556qgf.37.1413806989153; Mon, 20 Oct 2014 05:09:49 -0700 (PDT)
MIME-Version: 1.0
References: <871tq6uaf1.fsf@nordberg.se>
From: Ben Laurie <benl@google.com>
Date: Mon, 20 Oct 2014 12:09:48 +0000
Message-ID: <CABrd9STBA9jh6oHXBzEgUD73rWDRbgrFZc69H5tHOzD4Cw=WHg@mail.gmail.com>
To: Linus Nordberg <linus@nordu.net>, trans@ietf.org
Content-Type: multipart/alternative; boundary="001a1135339a5eb1690505d9970b"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/SFRWze_ARqrNQ8h_5iBElhCezCI
Subject: Re: [Trans] Certificate verification
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 12:09:52 -0000
On Fri Oct 17 2014 at 1:51:01 PM Linus Nordberg <linus@nordu.net> wrote: > Hi list, > > 6962bis-4 says that logs may log and publish invalid certificates as > long as the chain ends in a known cert. It then lists three examples of > what can be accepted, all related to time. > > Logs MUST verify that the submitted end-entity certificate or > Precertificate has a valid signature chain leading back to a trusted > root CA certificate, using the chain of intermediate CA certificates > provided by the submitter. Logs MAY accept certificates that have > expired, are not yet valid, have been revoked, or are otherwise not > fully valid according to X.509 verification rules in order to > accommodate quirks of CA certificate-issuing software. However, logs > MUST refuse to publish certificates without a valid chain to a known > root CA. If a certificate is accepted and an SCT issued, the > accepting log MUST store the entire chain used for verification, > including the certificate or Precertificate itself and including the > root certificate used to verify the chain (even if it was omitted > from the submission), and MUST present this chain for auditing upon > request. This chain is required to prevent a CA from avoiding blame > by logging a partial or empty chain. (Note: This effectively > excludes self-signed and DANE-based certificates until some mechanism > to limit the submission of spurious certificates is found. The > authors welcome suggestions.) > > Since the purpose of the log is to put light on bad certificates, would > it make sense to instead have text 1) specifying a minimum of checks to > be done (i.e. the chain) Since checking is for spam limitation, and different logs may have different views on what is spam, I am not convinced this is a good idea - for example, any chain check would appear to automatically rule out logging self-signed certs, and it seems to me that should be left open to log operators to think about (e.g. Microsoft would appear to have sufficient information to do spam limitation through use measurement: http://blogs.technet.com/b/pki/archive/2014/02/22/a-novel-method-in-ie11-for-dealing-with-fraudulent-digital-certificates.aspx ) > and 2) encouraging logging and publishing of > all other certificates? > That seems like a good plan :-) > > > On a minor note, I think that "trusted" in the very first sentence > should be changed to "known. Should I use the issue tracker? > Yes, please. > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans >
- [Trans] Certificate verification Linus Nordberg
- Re: [Trans] Certificate verification Matt Palmer
- Re: [Trans] Certificate verification Linus Nordberg
- Re: [Trans] Certificate verification Ben Laurie
- Re: [Trans] Certificate verification Ben Laurie
- Re: [Trans] Certificate verification Linus Nordberg
- Re: [Trans] Certificate verification Paul Wouters
- Re: [Trans] Certificate verification Linus Nordberg
- Re: [Trans] Certificate verification Matt Palmer
- Re: [Trans] Certificate verification Matt Palmer
- Re: [Trans] Certificate verification Ben Laurie
- Re: [Trans] Certificate verification Stephen Kent