Re: [Trans] Certificate verification
Linus Nordberg <linus@nordu.net> Sat, 18 October 2014 12:22 UTC
Return-Path: <linus@nordu.net>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 200011A6FF4 for <trans@ietfa.amsl.com>; Sat, 18 Oct 2014 05:22:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.871
X-Spam-Level:
X-Spam-Status: No, score=-0.871 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dR2Hxqe9Djha for <trans@ietfa.amsl.com>; Sat, 18 Oct 2014 05:22:18 -0700 (PDT)
Received: from e-mailfilter02.sunet.se (e-mailfilter02.sunet.se [IPv6:2001:6b0:8:2::202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 663051A6FEE for <trans@ietf.org>; Sat, 18 Oct 2014 05:22:18 -0700 (PDT)
Received: from smtp1.nordu.net (smtp1.nordu.net [IPv6:2001:948:4:6::32]) by e-mailfilter02.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id s9ICM5tE024443 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 18 Oct 2014 14:22:05 +0200
Received: from kerio.nordu.net (kerio.nordu.net [109.105.110.42]) by smtp1.nordu.net (8.14.7/8.14.7) with ESMTP id s9ICLvk8018856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 18 Oct 2014 12:22:00 GMT
VBR-Info: md=nordu.net; mc=all; mv=swamid.se
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nordu.net; s=default; t=1413634925; bh=9Emze6XTcaJxwpcmIvwDC8MJowNlkpWVB1fX83hfu68=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=bFGae0g/korzdkMv8Qfk4jMj53fCO5s9oIrbYUUgzi+23bOmFFJyYYCPLZ7hztdXY VPEb7v7h6PPjlIbqp+iOSeLGlmn0QJQoQTgw9dnYHwZGd2g6LgGHAIwA2qNzCK/59P wn8LPdZCQiJN9QY2qgWlGTZnfBZDzl7e+Bn1kryo=
X-Footer: bm9yZHUubmV0
Received: from flogsta ([193.10.5.129]) (authenticated user linus@nordu.net) by kerio.nordu.net (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Sat, 18 Oct 2014 14:21:57 +0200
From: Linus Nordberg <linus@nordu.net>
To: Matt Palmer <mpalmer@hezmatt.org>
Organization: NORDUnet A/S
References: <871tq6uaf1.fsf@nordberg.se> <20141017234400.GT9502@hezmatt.org>
Date: Sat, 18 Oct 2014 14:22:22 +0200
In-Reply-To: <20141017234400.GT9502@hezmatt.org> (Matt Palmer's message of "Sat, 18 Oct 2014 10:44:00 +1100")
Message-ID: <87y4sdmutd.fsf@nordberg.se>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: CanIt (www . roaringpenguin . com)
X-Scanned-By: MIMEDefang 2.74 on 109.105.111.32
X-p0f-Info: os=unknown unknown, link=Ethernet or modem
X-CanIt-Geo: ip=109.105.110.42; country=SE; latitude=62.0000; longitude=15.0000; http://maps.google.com/maps?q=62.0000,15.0000&z=6
X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default)
X-Canit-Stats-ID: 0aN4Am59k - 425ea6254b3a - 20141018
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/YC1Msgqx7-Se_Bu_6NJlpWbGnsA
Cc: trans@ietf.org
Subject: Re: [Trans] Certificate verification
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Oct 2014 12:22:20 -0000
Matt Palmer <mpalmer@hezmatt.org> wrote Sat, 18 Oct 2014 10:44:00 +1100: | > Since the purpose of the log is to put light on bad certificates, would | > it make sense to instead have text 1) specifying a minimum of checks to | > be done (i.e. the chain) and 2) encouraging logging and publishing of | > all other certificates? | | IMO, yes. My opinion is that a log which rejects certificates for reasons | other than those required to maintain the operation of the log (ie spamming) | is worthless -- you're *not* getting a complete view of what a CA intended | to issue, you're getting some sort of filtered, sanitised view of it. Thanks, this is my view as well. Happy to try to provide text unless other people on the list have a good case against this. | > On a minor note, I think that "trusted" in the very first sentence | > should be changed to "known. Should I use the issue tracker? | | I've been advised that for small, non-controversial changes, submitting a | pull request direct to the github repo is fine. Thanks, did that.
- [Trans] Certificate verification Linus Nordberg
- Re: [Trans] Certificate verification Matt Palmer
- Re: [Trans] Certificate verification Linus Nordberg
- Re: [Trans] Certificate verification Ben Laurie
- Re: [Trans] Certificate verification Ben Laurie
- Re: [Trans] Certificate verification Linus Nordberg
- Re: [Trans] Certificate verification Paul Wouters
- Re: [Trans] Certificate verification Linus Nordberg
- Re: [Trans] Certificate verification Matt Palmer
- Re: [Trans] Certificate verification Matt Palmer
- Re: [Trans] Certificate verification Ben Laurie
- Re: [Trans] Certificate verification Stephen Kent