IETF Logo Mail Archive

Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 text re logcertvalidationis ambiguous

Rob Stradling <rob.stradling@comodo.com> Mon, 06 July 2015 20:04 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57B0C1ACE35 for <trans@ietfa.amsl.com>; Mon, 6 Jul 2015 13:04:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8kgIdco2udFc for <trans@ietfa.amsl.com>; Mon, 6 Jul 2015 13:03:58 -0700 (PDT)
Received: from mmextmx2.mcr.colo.comodoca.net (mmextmx2.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 116211ACDCE for <trans@ietf.org>; Mon, 6 Jul 2015 13:03:58 -0700 (PDT)
Received: (qmail 11904 invoked by uid 1004); 6 Jul 2015 20:03:56 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx2.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Mon, 06 Jul 2015 21:03:56 +0100
Received: (qmail 18886 invoked by uid 1000); 6 Jul 2015 20:03:56 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Mon, 06 Jul 2015 21:03:56 +0100
Message-ID: <559ADF2B.3050507@comodo.com>
Date: Mon, 06 Jul 2015 21:03:55 +0100
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>, trans@ietf.org
References: <052.b3ecc6ca8b28cc47e13443079611ce86@tools.ietf.org><067.7becba46c4f8b854834f9bb0c27374ce@tools.ietf.org><559A9977.1040808@bbn.com> <559A9B83.6040000@comodo.com> <559AA60A.1060501@bbn.com> <559AD74A.5030806@comodo.com> <559ADBF5.7000807@bbn.com>
In-Reply-To: <559ADBF5.7000807@bbn.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/ULppA9QQsKDaCowEq31n1tRHfZM>
Subject: Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 text re logcertvalidationis ambiguous
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 20:04:00 -0000

On 06/07/15 20:50, Stephen Kent wrote:
> Rob,
>
>> On 06/07/15 17:00, Stephen Kent wrote:
>>> Rob,
>>>
>>> Having a cert rejected does not tell the submitter (CA or otherwise)
>>> why, and thus the submitted doesn't know how to resolve the problem.
>>
>> Are the folks that work for (sloppy) CAs really incapable of reading
>> RFC5280 for themselves, incapable of examining their rejected certs to
>> discover the problem(s) for themselves, and incapable of finding a
>> suitable mailing list on which to ask questions if they get stuck?
>
> I think may have misunderstood my point. I did not request that a log
> return an error indicating why a cert failed the logs checks. I asked
> that there be a deterministic way for a submitter to know whether a
> cert will pass.

Ah, I see.

> That can be accomplished in (at least) two ways:
> establish a standard set of checks that all logs perform

The I-D already says:
   "Logs MUST accept certificates that are fully valid according to RFC
    5280 [RFC5280] verification rules and are submitted with such a
    chain."

So the "deterministic way for a submitter to know whether a cert will 
pass" is for the submitter to ensure that the cert is fully compliant 
with RFC5280 verification rules and is supplied with a chain up to a 
root cert that the log accepts.

We don't want to encourage submitter CAs to needlessly violate RFC5280, 
so I see no good reason why we should turn the following behaviour into 
something deterministic:

   "Logs MAY accept certificates and precertificates that have
    expired, are not yet valid, have been revoked, or are otherwise not
    fully valid according to RFC 5280 verification rules in order to
    accommodate quirks of CA certificate-issuing software."

> , or establish a way to each log to state what set of checks it performs.
>
> Steve
>
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

v2.23.0 | Report a Bug | By Email