Opened 8 years ago

Last modified 7 years ago

#39 reopened defect

Monitor behavior

Reported by: kent@… Owned by:
Priority: major Milestone:
Component: client-behavior Version:
Severity: - Keywords:


Sectio 5.3 says that a monitor “watches for certificates of interest” but the text does not say how one specifies such certs to a monitor. The text needs to be revised to provide a meaningful specification for monitors.

Change History (6)

comment:1 Changed 8 years ago by rob.stradling@…

  • Component changed from rfc6962-bis to client-behavior

comment:2 Changed 8 years ago by rob.stradling@…

  • Owner draft-ietf-trans-rfc6962-bis@… deleted

comment:3 Changed 8 years ago by benl@…

  • Resolution set to wontfix
  • Status changed from new to closed

As agreed, we are not specifying client behaviour.

comment:4 Changed 8 years ago by benl@…

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Re-opened in case anyone wants to write a client behaviour doc.

comment:5 Changed 8 years ago by eranm@…

Out for review in
Only provides an example of what a monitor may do.

comment:6 Changed 7 years ago by kent@…

The following text should replace Section 9.3, so that the Monitor function is described in a way consistent with earlier comments about Monitors in this doc, and in a way that does not include Auditor functionality. The algorithm described in this section should be moved to an Appendix.

A Monitor observes a set of logs to detect certificate mis-issuance. A Monitor notifies a Subject (TLS server) when a mis-issued certificate has been issued on behalf of that Subject. Every CT-aware Subject ought to either perform self-Monitoring or arrange with a third-party Monitor to detect mis-issued certificates on behalf of the Subject. A CA might performing monitoring on behalf of the Subjects to which it issue certificates, an important example of third-party monitoring.

A Monitor performs its function by examining all entries from a set of logs that it observes and comparing these entries to reference data for a set of one or more Subjects. (The reference data consists, at a minimum, of a list of Subject and Subject Alternative Names and the pubic key information associated with each, supplied by the Subject.) If a Monitor detects a log entry for a certificate that is inconsistent with the reference data for a Subject, the Monitor notifies the Subject. Requirements for the Monitor function will be provided in a document to be publish later.

Note: See TracTickets for help on using tickets.