I didn't realize these all had to be measurable from the outside. Some
of them I just want to know from a monitoring and logging perspective.
I'll use DigiCert as an example since it's the log I'm most familiar with.
> 1) Rate limits on adding certificates
Can you clarify what you mean by this? That is, how do you propose to
quantify this, and how do you propose compliance be monitored to this?
[JR] It's pretty easy to monitor. Either you can make the queries at
the rate specified or you can't. However, as a CA, I do want to know
how many certs I can dump into a log at once. I'd like to know whether
the rate limit is tied to the total number of certs waiting to be
merged into the tree or if there is a limit on the number I should
submit a second.
(2 was merged with this one)
>
> 3) Individual rate limits (say by IP address) compared to overall rate limits
Same
[JR] Hard to monitor, but I believe Comodo's log throttles the certs
by IP address whereas we have an overall rate limit. For DigiCert it
doesn't matter who logs, but once the bandwidth is filled up, no more
certs can be added to the log. From a CA stand-point, I'd like to know
whether I'm hitting the limit or if its a general log use problem.
>
> 4) Other rate limits related to the public's use of the log
Same
[JR] If the goal is transparency, there should be transparency for log
operators. I don't expect this question to be answered, but are there
other rate limits that we haven't thought of that the log operator has
in place? No proposed monitoring on this one, I'd just like to know
what log operators are doing.
>
> 5) Redundancy of the log's operations, including which IP addresses
> need to be whitelisted for redundancy sites
Unclear what you mean here
[JR] As far as redundancy, I'd like to know whether the log will stay
up. Although Google initially monitors this, most of the external CA
logs have failed. If the log operator doesn't have redundant
operations, I'd prefer not to log to them. For the IP address issue,
we have our log operating out of three different data centers. This
means our log has three different IP addresses that the API could
resolve to. We had issues with people who didn't poke enough holes in
their firewall.
>
> 6) A list of requirements to embed a root
I think this is uncontroversial
> 7) The fee charged for embedding a root/logging certificates
That assumes a fee is charged, right? How is this different than 6?
[JR] It's not. We could merge the two.
>
> 8) Restrictions on the certs being logged and whether any certs are
> blocked from logging (such as expired certificates, code signing, etc)
Would it be better to formalize this as must?
[JR] What do you mean? Like a "must log x, y, and z?" From the CA
perspective, I want to know what I can include in the log. I think the
Google inclusion policy should specify what type of certs must be
permitted (i.e. - all non-expired SSL certs). The log operator could
then expand on those base requirements, such as permitting code
signing or expired certs.
>
> 9) Which roots are already included and which are planned for inclusion
It's already required they list what roots are included. The policy
states as much. It also states to update when that changes.
Can you explain why it is/should be relevant to also document planned
for inclusion?
[JR] Someone mentioned that they only wanted a few logs included in
Google's log store. If that is true, the selected logs should be as
broadly used as possible. If I submit a log knowing that it's only
intended for DigiCert (and only includes the DigiCert roots) then is
that valuable to the ecosystem? What if it's the WoSign log and no one
intends to log to it? If there are only a few logs permitted, we
should know whether they intend to serve the entire community or just
a small sub-set.
>
> 10) The circumstances and process for removing a root.
Can you expand on what your goal with this is? For example, has this
been an issue with existing log operators? What level of detail is
expected? If a log operator needs to respond to changes, is it a
violation if they go beyond that process? Is that conducive or harmful
to the log ecosystem?
[JR] The goal is to give CAs knowledge of when their root will be
kicked out of a log. For example, we removed a Comodo root because of
the volume of certs logged. I'm sure Comodo would have appreciated
more clear guidance on when this would happen. I know I'd like to be
evaluate the risk my roots will be removed.