Re: [Trans] Relaxing section 5.1

Brian Smith <brian@briansmith.org> Wed, 02 November 2016 20:08 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBC63129469 for <trans@ietfa.amsl.com>; Wed, 2 Nov 2016 13:08:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hjs77LSf62Ip for <trans@ietfa.amsl.com>; Wed, 2 Nov 2016 13:08:45 -0700 (PDT)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27FCD127076 for <trans@ietf.org>; Wed, 2 Nov 2016 13:08:45 -0700 (PDT)
Received: by mail-oi0-x22b.google.com with SMTP id x4so35187783oix.2 for <trans@ietf.org>; Wed, 02 Nov 2016 13:08:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xIfPkEEs/xET6BNZb/noW/rDOay4hz2ZJYmqw7N6Kns=; b=r8KyK1QMWV49mLemJvWVjIiPhrfBrJLiTvMjBlGMsFgDdXIlTLz7W+uIxyNoAzAJ9Q 0tmqIhkfJvtSySWFxPdaGdHCk0h6Gini2xOK1HMR+8+G0s72kgsBA7csqEIZqz0ryR6k CzszJvrWBzqwijtOdP7f9V7wsaKPdDV6XEbQgmVEdNZtPTvGq4h+gQvvKNW2SjnjGx1e K/T/sxrcnYXIcOcgWT6ruMX7DnNBJn4ffSdqUHkzdM/m0KB5Qi8w5ivOlGS5Zo/X+GjR y6g8JINCl/PUPJN85xi9/WWV8djfmtyMiwyctySULl4eIx6VMVIbQaIKoLcYwNYFRIAm yUAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xIfPkEEs/xET6BNZb/noW/rDOay4hz2ZJYmqw7N6Kns=; b=f1aGSsU5R63LwjpUIhySqbhgJoHbb6AO9OXX7VYDJBMhkwOpOASCLC/xQ19k9OYBr3 bBk0M3kl+Z3XEiBWvoDC9/0UP5W9pX2kt5PETqwWmYZuDBfi7zjOo09VohXKhLbv1L8L 0b+DBXE9sThZgRXwielj3ts6iAr6C/WSLjW+N+2PVpgm52FspBLkiD9vCoY903i3Ck16 geZfcEAb0Fx/FfPHKitRvMY739OUN3HK3jWnObQeIQHGjN1WwtH+SxM2QiM18AhMKesp tkX/AIUtCx0EwtqwpJ3/91cBjKSK/eRxWH0+gPe5J08A+nHbLm1YOtis5zMEfuOwHdpD QDFA==
X-Gm-Message-State: ABUngvd5cQbA6rhK6OayL1jaqU52EN6UPRfRy5q0//ERf9UtjTB56gu1dpVGietWpjMSKGjj/HTsdnOVmx2cpA==
X-Received: by 10.107.7.96 with SMTP id 93mr123863ioh.136.1478117324264; Wed, 02 Nov 2016 13:08:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.85.83 with HTTP; Wed, 2 Nov 2016 13:08:43 -0700 (PDT)
In-Reply-To: <CAK6vND8_4OQ0du0MC8Z5=NJR5ho1EpT-8H41O+Te9tvM3YeNcg@mail.gmail.com>
References: <CAK6vND8_4OQ0du0MC8Z5=NJR5ho1EpT-8H41O+Te9tvM3YeNcg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
Date: Wed, 02 Nov 2016 10:08:43 -1000
Message-ID: <CAFewVt4_7VYf3UkP+7drqVLQ7hKAotg1VQEaqgMmw6kJBtzwLA@mail.gmail.com>
To: Peter Bowen <pzbowen@gmail.com>
Content-Type: multipart/alternative; boundary="001a113ec7d00cad4405405702ac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/uwTj8itkNifOCYbRVVj2weJFEmI>
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Relaxing section 5.1
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 20:08:47 -0000

Peter Bowen <pzbowen@gmail.com> wrote:

> Currently 6962bis section 5.1 says:
>
>   "Logs MUST verify that each submitted certificate or precertificate
>    has a valid signature chain to an accepted trust anchor, using the
>    chain of intermediate CA certificates provided by the submitter. [...]
>    logs MUST reject submissions without a
>    valid signature chain to an accepted trust anchor.  Logs MUST also
>    reject precertificates that do not conform to the requirements in
>    Section 3.2."
>
> Is there a reason this is enshrined as a MUST?  It seems like it
> should be up to the log operator to determine their policy.


The log can reject the submission (return a non-2xx response) and still
incorporate the certificate into the log, especially if it can build its
own path to a trust anchor it trusts. The only thing that the log is
prohibited from doing is giving the submitter a 200 response with an SCT
when the submitter supplies an incomplete/untrusted chain.

In particular, the log can reject a submission (with a non-2xx response)
but then re-submit the same certificate to itself with a different
certificate chain (returning a 2xx response).

A log can store rejected submissions in a holding bin for later
self-submission when new intermediates are discovered and/or new roots are
trusted.

Note that when people query the log using get-entries, the log shouldn't
return certificates it has never been able to build a valid chain for, by
default, I think. Otherwise the system doing the querying might be DoS'd
with untrusted certificates. But, it is probably a good idea to have a way
to query rejected/not-yet-trusted submissions too.

Cheers,
Brian
-- 
https://briansmith.org/