[Trans] Relaxed X.509 validation rules
Erwann Abalea <eabalea@gmail.com> Mon, 02 June 2014 16:09 UTC
Return-Path: <eabalea@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EA2A1A0254 for <trans@ietfa.amsl.com>; Mon, 2 Jun 2014 09:09:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Level:
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0om0oR-ZoRP for <trans@ietfa.amsl.com>; Mon, 2 Jun 2014 09:09:04 -0700 (PDT)
Received: from mail-vc0-x236.google.com (mail-vc0-x236.google.com [IPv6:2607:f8b0:400c:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB2851A0141 for <trans@ietf.org>; Mon, 2 Jun 2014 09:09:04 -0700 (PDT)
Received: by mail-vc0-f182.google.com with SMTP id id10so5363650vcb.13 for <trans@ietf.org>; Mon, 02 Jun 2014 09:08:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=pZ6dsrU9gHT7JfJ9E1ecXR+ryoLtvVOfN5EnTsU8Z0Q=; b=e6gTVzKocpIPUZfQIaspnYbs2EKzkPyU9F1eA1nyhNiU2GlWTIZ5Np2CU8BR1VMpWB KkMcSKw8LT5nUWuwTTR99MrM8hnjUkory1fkQeKtNGeY+WzwHe9+BLA8aRp3GDgOrgJ6 +7bwCA8sdQk7HuB8J5vZlY1ZBaIN1zyTb+JsLhjYmPhevu1rD0UOyMUWI5Tw6IZW9bFv Imy3wgs/vMsuhw0/Y8GPIQKxdKHKBPlvN4KIQA4DBjkbXQhBy+h6Ghhmk5hC9D17BnDR yLTTLMWGsrk0hd2IFs4MBtXdFNz9jlFfilyfTXfCBoiyiyiM9onK32D5jSzJl/dDrTAR k74A==
MIME-Version: 1.0
X-Received: by 10.58.186.207 with SMTP id fm15mr31481790vec.4.1401725337913; Mon, 02 Jun 2014 09:08:57 -0700 (PDT)
Received: by 10.52.245.40 with HTTP; Mon, 2 Jun 2014 09:08:57 -0700 (PDT)
Date: Mon, 02 Jun 2014 18:08:57 +0200
Message-ID: <CA+i=0E6kBG+teg7r7eiP4Vw2yf0u6e2xHXN0SDdJmJ4nCQdKQQ@mail.gmail.com>
From: Erwann Abalea <eabalea@gmail.com>
To: "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b67594cd6d02a04fadc9ceb"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/ufuyhwHqSPkqkqiUiq43WbEoQiY
Subject: [Trans] Relaxed X.509 validation rules
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jun 2014 16:09:07 -0000
Bonjour, For security reasons, our online CAs have a critical BC extension with pathLenConstraint set to 0. For security+compliance reasons (RFC5280/X.509), our CA system doesn't allow for duplicate serial numbers under a CA, so we're going to issue a "Precertificate Signing Certificate" under our different issuing CAs for precertificate generation. Of course, a compliant X.509 third party MUST fail to validate the precertificate (because of the pathLenConstraint=0 issuing something that acts as a CA without being declared as is). How will this case be handled by log servers? RFC6962 in section 3.1 states that "the log may relax standard validation rules to allow this, so long as the issued certificate will be valid", without any detail on relaxed rules. Will it be mandatory to re-issue pathLenConstraint=1 CA certificates and relax our security rules? -- Erwann.
- [Trans] Relaxed X.509 validation rules Erwann Abalea
- Re: [Trans] Relaxed X.509 validation rules Ben Laurie