Pilot and Aviator RFC compliance

[Peter Bowen]

It was pointed out to me today that Pilot and Aviator have violated
RFC 6962 in the past – they have not followed section 3.1:

Logs MUST verify that the submitted end-entity certificate or
Precertificate has a valid signature chain leading back to a trusted
root CA certificate, using the chain of intermediate CA certificates
provided by the submitter.

As you can see from https://crt.sh/?id=10663251,
https://crt.sh/?id=10735477, and https://crt.sh/?q=10665866, it did
not enforce the above requirement. The first two certificates do not
chain back to a trusted root CA certificate and the last one has an
invalid signature. The timestamps for these certificates are well past
when they were approved for inclusion in Chromium
(https://bugs.chromium.org/p/chromium/issues/detail?id=389514 and
https://bugs.chromium.org/p/chromium/issues/detail?id=389511).

While I would consider this to be a low impact violation of RFC 6962,
the Chromium team has made it clear that compliance with RFCs is a key
requirement for participants in the WebPKI, including CA and CT Logs.
Personally I believe that this should not cause these logs to be
disqualified, but it is not my decision to make.

Thanks,
Peter

[Iñigo Barreira]

Peter, if this is a violation of the policy, Google has clearly indicated the decision in the past. There´s no such "low impact" interpretation so as you say, Google will have to take an action on what to do in this matter.

Regards

--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To post to this group, send email to ct-p...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/CAK6vND9yqoEuNMisaA_4rFtRJjJBekC8k%3D-9BJ2CA0Er8WVZ%3DA%40mail.gmail.com.

[Richard Salz]

It's been a week, can someone from Google at least confirm that their two logs are in violation?

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/CAG7%2BX0i7ty2xa3L_2t0V_EeHE5YE7-EVP%2B4r29%3DagWjy%3DS%2BZWg%40mail.gmail.com.

[Eran Messeri]

We're drafting a response which I hope we could post today.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/CAFH29tpYkpQXaXjSBHM2GX9%2BdMcw%3DF%3DJbrd4uZpHL5TQ%2BK-Zfw%40mail.gmail.com.

[Ryan M Hurst]

I have posted the incident response from this incident here: https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/Itoq0YUZTlA

[Richard Salz]

So now we are waiting to here the Chromium response, right?

It seems a minor noncompliance, but I am not fully convinced users wouldn't be at risk. But it is noncompliance, so I expect to see the standard actions taken.

[Ryan M Hurst]

Yes.

The Google Certificate Transparency team operates these logs on behalf of Google but are subject to the same criteria as other logs to be considered for inclusion by the Chromium team.

As for the impact to users, the requirement to not include invalid signatures is a mechanism to protect logs from SPAM. For the duration of time this issue was in production the logs were exposed to increased risk of DDOS. That said there are and were other mechanisms in place to help with DDOS that would have helped mitigate such an attack should it have occurred.

Ryan