Syntactic and Semantic Checks for Domain Validation Certificates

Document Type Expired Internet-Draft (individual)
Authors Stephen Kent  , Rick Andrews 
Last updated 2016-06-25 (latest revision 2015-12-23)
Stream (None)
Intended RFC status (None)
Expired & archived
plain text xml pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


Certificate Transparency (CT) [RFC6962-bis] is a system for publicly logging the existence of X.509 certificates as they are issued or observed. The logging mechanism allows anyone to audit certification authority (CA) activity and detect the issuance of "suspect" certificates. Detecting mis-issuance of certificates is a primary goal of CT. A certificate is considered to be mis-issued if it fails to meet syntactic and/or semantic criteria associated with the type of certificate being issued. Mis-issuance can be detected by CT log servers, whose feedback to a CA could prompt the CA to not issue a suspect certificate. (Preventing the mis-issuance of such a certificate is preferable to issuing it and detecting it later.) Compliant CT log servers could offer these checks to a CA submitting a pre-certificate to be logged. These checks are intended to be used in an environment in which CAs optionally assert the version of the EV guidelines to which the submitted pre-certificate purportedly conforms. Log servers would then perform the checks of supported [CABF-DV] versions and include the CA's assertion and the log server's result in its Signed Certificate Timestamp (SCT). Monitors can also perform checks to detect suspect certificates on behalf of certificate Subjects. Checks performed by a Monitor also serve to double check log servers that claim to have checked a certificate, to identify those that are not doing the checks properly, e.g., because of errors, compromise, or conspiracy. This provides Monitors and CT clients with additional information when choosing which logs to use.


Stephen Kent (
Rick Andrews (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)