Re: [Trans] Certificate verification

[Matt Palmer <mpalmer@hezmatt.org>]

On Mon, Oct 20, 2014 at 01:44:57PM -0400, Paul Wouters wrote:
> On Mon, 20 Oct 2014, Linus Nordberg wrote:
> 
> as individual without chair hat...
> 
> >  Logs MUST verify that the submitted end-entity certificate or
> 
> >My intention was to make the specification less restrictive by changing
> >
> >                              Logs MAY accept certificates that have
> >  expired, are not yet valid, have been revoked, or are otherwise not
> >  fully valid according to X.509 verification rules in order to
> >  accommodate quirks of CA certificate-issuing software.
> 
> That seems to bring up the topic a bit too broadly I think? How about:
> 
> 	Logs MUST protect themselves against spam. They MAY require a
> 	fully validated X.509 certification chain to one of their configured
> 	trusted root CA's.

I prefer a more broad wording:

    Logs MAY reject certificate submissions which would compromise the
    integrity or availability of the log.  An example of a valid reason to
    reject a submission would be an attempt to "spam" the log with large
    numbers of certificates, consuming all its storage space and/or
    processing capacity.  Logs MUST NOT reject certificates for any other
    reason.

I'm willing to compromise a little on that last sentence, but I've seen some
comments recently that suggest that some people think CT logs are a
validation checker, not an activity log, so it'd be nice to clarify that in
the spec.

- Matt

-- 
[An ad for Microsoft] uses the musical theme of the "Confutatis Maledictis"
from Mozart's Requiem. "Where do you want to go today?" is on the screen,
while the chorus sings "Confutatis maledictis, flammis acribus addictis,".
Translation: "The damned and accursed are convicted to the flames of hell."