Certificate Transparency Version 2.0
draft-ietf-trans-rfc6962-bis-34
- Versions
- 00
- 01
- 02
- 03
- 04
- 05
- 06
- 07
- 08
- 09
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
| Document | Type | Active Internet-Draft (trans WG) | |
|---|---|---|---|
| Authors | Ben Laurie , Adam Langley , Emilia Kasper , Eran Messeri , Rob Stradling | ||
| Last updated | 2020-02-25 (latest revision 2019-11-04) | ||
| Stream | IETF | ||
| Intended RFC status | Experimental | ||
| Formats | plain text xml pdf htmlized (tools) htmlized bibtex | ||
| Reviews | |||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Paul Wouters | ||
| Shepherd write-up | Show (last changed 2017-08-04) | ||
| IESG | IESG state | IESG Evaluation::Revised I-D Needed | |
| Action Holders |
(None)
|
||
| Consensus Boilerplate | Yes | ||
| Telechat date |
Has 2 DISCUSSes. Has enough positions to pass once DISCUSS positions are resolved. |
||
| Responsible AD | Roman Danyliw | ||
| Send notices to | "Paul Wouters" <paul@nohats.ca> | ||
| IANA | IANA review state | Version Changed - Review Needed | |
TRANS (Public Notary Transparency) B. Laurie
Internet-Draft A. Langley
Obsoletes: 6962 (if approved) E. Kasper
Intended status: Experimental E. Messeri
Expires: May 7, 2020 Google
R. Stradling
Sectigo
November 04, 2019
Certificate Transparency Version 2.0
draft-ietf-trans-rfc6962-bis-34
Abstract
This document describes version 2.0 of the Certificate Transparency
(CT) protocol for publicly logging the existence of Transport Layer
Security (TLS) server certificates as they are issued or observed, in
a manner that allows anyone to audit certification authority (CA)
activity and notice the issuance of suspect certificates as well as
to audit the certificate logs themselves. The intent is that
eventually clients would refuse to honor certificates that do not
appear in a log, effectively forcing CAs to add all issued
certificates to the logs.
This document obsoletes RFC 6962. It also specifies a new TLS
extension that is used to send various CT log artifacts.
Logs are network services that implement the protocol operations for
submissions and queries that are defined in this document.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 7, 2020.
Laurie, et al. Expires May 7, 2020 [Page 1]
Internet-Draft Certificate Transparency Version 2.0 November 2019
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 5
1.2. Data Structures . . . . . . . . . . . . . . . . . . . . . 5
1.3. Major Differences from CT 1.0 . . . . . . . . . . . . . . 5
2. Cryptographic Components . . . . . . . . . . . . . . . . . . 7
2.1. Merkle Hash Trees . . . . . . . . . . . . . . . . . . . . 7
2.1.1. Definition of the Merkle Tree . . . . . . . . . . . . 7
2.1.2. Verifying a Tree Head Given Entries . . . . . . . . . 8
2.1.3. Merkle Inclusion Proofs . . . . . . . . . . . . . . . 9
2.1.4. Merkle Consistency Proofs . . . . . . . . . . . . . . 10
2.1.5. Example . . . . . . . . . . . . . . . . . . . . . . . 12
2.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 14
3. Submitters . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1. Certificates . . . . . . . . . . . . . . . . . . . . . . 14
3.2. Precertificates . . . . . . . . . . . . . . . . . . . . . 14
3.2.1. Binding Intent to Issue . . . . . . . . . . . . . . . 16
4. Log Format and Operation . . . . . . . . . . . . . . . . . . 16
4.1. Log Parameters . . . . . . . . . . . . . . . . . . . . . 17
4.2. Evaluating Submissions . . . . . . . . . . . . . . . . . 18
4.2.1. Minimum Acceptance Criteria . . . . . . . . . . . . . 18
4.2.2. Discretionary Acceptance Criteria . . . . . . . . . . 19
4.3. Log Entries . . . . . . . . . . . . . . . . . . . . . . . 19
4.4. Log ID . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.5. TransItem Structure . . . . . . . . . . . . . . . . . . . 20
4.6. Log Artifact Extensions . . . . . . . . . . . . . . . . . 21
4.7. Merkle Tree Leaves . . . . . . . . . . . . . . . . . . . 21
Show full document text