Opened 7 years ago

Closed 7 years ago

#73 closed defect (fixed)

Section 3 text re log cert validation is ambiguous

Reported by: kent@… Owned by: draft-ietf-trans-rfc6962-bis@…
Priority: critical Milestone: review
Component: rfc6962-bis Version:
Severity: - Keywords:


Section 3 states “When a valid certificate is submitted to a log …” It later says: Logs MUST accept certificates that are fully valid according to X.509 verification rules and are submitted with such a chain. Logs MAY accept certificates and precertificates that have expired, are not yet valid, have been revoked, or are otherwise not fully valid according to X.509 verification rules in order to accommodate quirks of CA certificate-issuing software.” This specification for what constitutes a valid certificate is ambiguous, e.g., it fails to specify a version of the X.509 standard. I suggest citing RFC 5280 instead. Also, as noted before (ticket #??) there is no specified way for a log to advertise whether is accepts certificates that have “issues” nor to specify what deviations from X.59 (or 5280) are acceptable to a specific log.

Change History (4)

comment:1 Changed 7 years ago by rob.stradling@…

  • Component changed from client-behavior to rfc6962-bis

comment:2 Changed 7 years ago by benl@…

On the issue of specifying deviations, I am not sure how that could realistically be done. For example, our logs will permit whatever deviations OpenSSL permits. I don't think anyone knows precisely what those are, and I'm prepared to bet they vary between versions.

Even leaving that aside, experience suggests we have to permit deviations in order to admit incorrect certificates that are accepted by browsers. I don't think we can anticipate what all of those are.

comment:4 Changed 7 years ago by melinda.shore@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.