Last Call Review of draft-laurie-pki-sunlight-05
review-laurie-pki-sunlight-05-secdir-lc-hutzelman-2013-01-25-00

Request Review of draft-laurie-pki-sunlight
Requested rev. no specific revision (document currently at 12)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2013-01-24
Requested 2013-01-03
Other Reviews Genart Last Call review of -05 by Francis Dupont (diff)
Genart Last Call review of -07 by Francis Dupont (diff)
Genart Telechat review of -09 by Francis Dupont (diff)
Review State Completed
Reviewer Jeffrey Hutzelman
Review review-laurie-pki-sunlight-05-secdir-lc-hutzelman-2013-01-25
Posted at http://www.ietf.org/mail-archive/web/secdir/current/msg03724.html
Reviewed rev. 05 (document currently at 12)
Review result Has Issues
Draft last updated 2013-01-25
Review closed: 2013-01-25

Review
review-laurie-pki-sunlight-05-secdir-lc-hutzelman-2013-01-25

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.


This document describes an experimental protocol for publicly logging
the existence of certificates as they are issued or observed, in a manner
that allows anyone to audit certificate authority activity and notice the
issuance of suspect certificates, as well as to audit the logs themselves.
The intent is that eventually clients would refuse to honor certificates
which do not appear in a log, effectively forcing CAs to add all issued
certificates to the logs.

Overall, the approach used here looks reasonable.  However, I have a few
specific comments, and also recommend that the security area directors pay
special attention to this document, as it has the potential to have
far-reaching effects if the experiment is successful.



The abstract for this document is four paragraphs and takes up an entire
page.  It could be a lot shorter.  For example, I think my one-paragraph
summary above is sufficient to fill the role of an abstract, which is to
allow the reader to find out what a document is about and decide whether
he wants to read it.

This document makes extensive use of RFC2119 requirements language, but
the body of the document does not contain text incorporating the meanings
of these terms.  Instead, the usual text is hidden in a "Requirements
Language" section which appears just below the abstract, outside the main
body of the document.  This should be moved into the document proper.

For describing its messages and data structures, this document makes
extensive use of a language which is unfamiliar to me and for which no
reference is given.  I can make some guesses as to what it means, but
guesswork does not make for interoperable implementations.

I'm concerned that this document attempts to specify operational policy,
particularly for operators of logs.  As the saying goes, "MUST is for
implementors"; statements like "Anyone can submit a certificate to any 
log" are inappropriate for protocol specifications.  In practice, it
seems likely that log operators will establish policies regarding both
who may submit certificates and which certificates they will accept, and
no amount of MUST in a protocol spec is going to change that.

Similarly, as an anti-spam measure, this document proposes that logs accept
only certificates which chain back to a known CA, and requires that logs
validate each submitted certificate before appending it to the log.  This
sounds good, but it's not the only possible mechanism, and so I think MUST
is too strong here.  Additionally, there is no discussion of the security
implications if a client depends on a log to do this and the log does not
actually do so.  Rather than requiring that logs validate every submitted
certificate, the document should only RECOMMEND that they do so, and make
clear that clients MUST NOT depend on such validation having been done.