Re: [Trans] Relaxing section 5.1

Ben Laurie <> Fri, 04 November 2016 13:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 49925129526 for <>; Fri, 4 Nov 2016 06:41:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1A1vfHb-cQtU for <>; Fri, 4 Nov 2016 06:41:08 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c08::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0AB0A129503 for <>; Fri, 4 Nov 2016 06:40:55 -0700 (PDT)
Received: by with SMTP id b35so66188644uaa.3 for <>; Fri, 04 Nov 2016 06:40:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kiT97HdHcCSgpQ0Kh6SWNa2S4wcjtqLZ8Rjr6mH6GNg=; b=dUVGpjAuS95cB65a7HzmAFe8effM//FMSd6LaoJ9DKxr+iuyvrrI0fjWfcLlehTjoX E1RjcfOwyp4ZAbdGcZidAnI0ok7q2dg4qZOhQ5i97hI9UlGVdEVEbb4x6uBsEhf/sjkr 5XTBBGPEtwCFTcKZ3Cc3JijrRJhwv2MKKqIOqJLYeQFQS7K0nkQor36NiKuegmPwedHw Cdzptc8McK6ndCz416Z1LIP2NZbL4+6vW5RJt3wFCEct8KRffBiUNRt6vMX3msrUkZxe ffLvQrj1puZulDYFMKBJTwWx7MGLtMkumookvTlfZ//qWb2nsOIni2L+oInF3/+rsGx8 GDaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kiT97HdHcCSgpQ0Kh6SWNa2S4wcjtqLZ8Rjr6mH6GNg=; b=CzqmI3W9hDWc7WRFLHXwzZBhpUCYF7IT+yX3O6YY9rIcBLigWCyRiIapDUWQV2z7YM UAWnuYX2bHZXwxDRoZQ+5PS1BFiLwOgTj4jPS0Bd3RKjtyrIJHbFWb+vhwLjQ7tZtlBX fNRFLkJ748n7vDmr5aj+oMjODda5WOC2wBb+aAcPkM7+vSs3PDaVj3mKMaFQKTYYgkL1 XmAALROg9bGoQcS/IQWgV66qhuI9MBVcV0KCs/DUjdYH/rI1yGwhQmp9dnrKOozJgiAV yhTUy4v83Wx0sEIdw2qWND/oyorMThd+uPplBFxHunBwLgSpeAPMquNITS7X6Fbdkofn 7RRA==
X-Gm-Message-State: ABUngvc8BFVSyNm0llF7/CfKAnyFWR4PH/+OWOg2gYrFgOULLzKVexo85xtrS3aGLtBWCpj7IkTNt+PNVVcyLMN8
X-Received: by with SMTP id h3mr10850316uad.176.1478266389879; Fri, 04 Nov 2016 06:33:09 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 4 Nov 2016 06:33:09 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <>
From: Ben Laurie <>
Date: Fri, 04 Nov 2016 13:33:09 +0000
Message-ID: <>
To: Peter Bowen <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: Melinda Shore <>, "" <>
Subject: Re: [Trans] Relaxing section 5.1
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Nov 2016 13:41:10 -0000

On 3 November 2016 at 14:01, Peter Bowen <> wrote:
> On Thu, Nov 3, 2016 at 3:31 AM, Ben Laurie <> wrote:
>> On 2 November 2016 at 14:08, Peter Bowen <> wrote:
>>> By requiring all logs MUST accept any certificate that chains to a
>>> root in the log's root list, 6962bis fails to allow log operators to
>>> mitigate any Denial of Service attacks mounted by attempting to log
>>> massive numbers of certificates that are not relevant to the log
>>> scope.  For example, many existing certification authorities issue
>>> both server authentication certificates and certificates for personal
>>> identification.  For some roots, acquiring large numbers of these is
>>> relatively easy (see discussion of fetching millions of Taiwanese
>>> Citizen Digital Certificates in
>>>  As written
>>> today, a log MUST accept these.  There is no option for a log to
>>> require that all certificates must meet some usability criteria.
>> The requirement is to reject certs that don't meet the criteria, not
>> to accept those that do.
> So the root list is just "advisory" -- I could include roots where my
> local policy results in rejecting all certs chained to that root?  Or
> I could follow Brian's template and reject all and later add to the
> log via some other API (or have some rule like "client IP address must
> be" in order to get a cert logged)?  These would all be
> 6962bis compliant?

I was just reading what the language you quoted says. I don't actually
have the whole of 6962bis in my head right now.

The bit you didn't quote does say they the log has to accept valid
certs, tho: "Logs MUST accept certificates and precertificates that
are fully valid according to RFC 5280 [RFC5280] verification rules and
are submitted with such a chain."