Re: [Trans] Relaxing section 5.1

Peter Bowen <> Thu, 03 November 2016 01:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0E2291297AA for <>; Wed, 2 Nov 2016 18:30:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id B6jDQCHoppEe for <>; Wed, 2 Nov 2016 18:29:58 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9BFBD1294F8 for <>; Wed, 2 Nov 2016 18:29:58 -0700 (PDT)
Received: by with SMTP id 62so52575124oif.1 for <>; Wed, 02 Nov 2016 18:29:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5zZqb/6XBMgtdtLkUYrnbtZm/pb3ehVmLKksq2OJwUM=; b=C0Y0RHxTuzBjSustPcArVV6ollvGEvbOpST0jdJ9QZFlek3P5W9KglWJCPdMW+y3TS WJ0kKrD3pzBLXSJheMHRcDeOTMpSv1ovdEh7UQmeBCRcBkvmdpTJMuI/HfIgWVAAh86A WbtbN8YJHreaxgzA01XwKBWFnzyVXgl48ooiQSk8+V9+elGxwg1xTX1M+/euueqbPZQe A8e4I50kaFgnnbZCXU1NzQy3ScJ4EtsTCTlHEMirGBUpLlIVzbVEtcKhY5ebrXkC+g99 GfA7D0vskGq30DtHo3Ytca8P/MYAgyMX7KW4rtkcKsRa7wLjUat6AnSwrDHlmZPdTYd4 KNQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5zZqb/6XBMgtdtLkUYrnbtZm/pb3ehVmLKksq2OJwUM=; b=lERrxyXRDk0k7Sfeq4WBDEaGhZNgThuqSBMq3mGU5VyRTZ/ggc7mkqwW3xyJU2K+rS Gtw09Nya7sESGKyfYraW+wQhxp0UYGgl5joL1LIbCc+j8TgnOxYjWBWoEH96jFd77W73 Pxl9GgwHTqiBFwkIZAWd6mCbkPbHIA7yv4eINZI3OcMgWL3dKcZd+KXNzBKsmOkn4CZT HdqnnZiuZw/iYYy9+r1eia52yetw+p49NYPc49zHNekeTL9Yw/dJQXsdZE/BmzSN+qDL UCjmIomnDSsj9O79J/tjRcB437sn+ls9OV6vXQR6DQ4XYe0oqbScEQ0+LhrgJUgx9kZW rUjw==
X-Gm-Message-State: ABUngvc5jdyDF9os9G6ED+b8sDCXaAvd8ODlul9v8oVfo1xDZeixSI++HMasKcD+aclCfIYWu5gQrs6WzwawpA==
X-Received: by with SMTP id i205mr6660827iof.167.1478136597994; Wed, 02 Nov 2016 18:29:57 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 2 Nov 2016 18:29:57 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Peter Bowen <>
Date: Wed, 02 Nov 2016 18:29:57 -0700
Message-ID: <>
To: Brian Smith <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: "" <>
Subject: Re: [Trans] Relaxing section 5.1
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Nov 2016 01:30:00 -0000

On Wed, Nov 2, 2016 at 1:08 PM, Brian Smith <> wrote:
> Peter Bowen <> wrote:
>> Currently 6962bis section 5.1 says:
>>   "Logs MUST verify that each submitted certificate or precertificate
>>    has a valid signature chain to an accepted trust anchor, using the
>>    chain of intermediate CA certificates provided by the submitter. [...]
>>    logs MUST reject submissions without a
>>    valid signature chain to an accepted trust anchor.  Logs MUST also
>>    reject precertificates that do not conform to the requirements in
>>    Section 3.2."
>> Is there a reason this is enshrined as a MUST?  It seems like it
>> should be up to the log operator to determine their policy.
> The log can reject the submission (return a non-2xx response) and still
> incorporate the certificate into the log, especially if it can build its own
> path to a trust anchor it trusts. The only thing that the log is prohibited
> from doing is giving the submitter a 200 response with an SCT when the
> submitter supplies an incomplete/untrusted chain.

Right, but why?  If the log can fix it up on the fly, why not return a
SCT?  Why can a log not include a certificate it finds acceptable even
if it can't link it back to a root?  Why should a log have a separate
store of certs for "future submission" instead of logging them

I see the worry about spam, but this would seem to be a greater risk
for the log operator than anyone else.  After all the log has to store
all the data and transfer it to all the clients, so their bandwidth
usage is far greater than any given client.