| rfc9162v2.txt | rfc9162.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) B. Laurie | Internet Engineering Task Force (IETF) B. Laurie | |||
| Request for Comments: 9162 A. Langley | Request for Comments: 9162 E. Messeri | |||
| Obsoletes: 6962 E. Kasper | Obsoletes: 6962 Google | |||
| Category: Experimental E. Messeri | Category: Experimental R. Stradling | |||
| ISSN: 2070-1721 Google | ISSN: 2070-1721 Sectigo | |||
| R. Stradling | November 2021 | |||
| Sectigo | ||||
| October 2021 | ||||
| Certificate Transparency Version 2.0 | Certificate Transparency Version 2.0 | |||
| Abstract | Abstract | |||
| This document describes version 2.0 of the Certificate Transparency | This document describes version 2.0 of the Certificate Transparency | |||
| (CT) protocol for publicly logging the existence of Transport Layer | (CT) protocol for publicly logging the existence of Transport Layer | |||
| Security (TLS) server certificates as they are issued or observed, in | Security (TLS) server certificates as they are issued or observed, in | |||
| a manner that allows anyone to audit certification authority (CA) | a manner that allows anyone to audit certification authority (CA) | |||
| activity and notice the issuance of suspect certificates as well as | activity and notice the issuance of suspect certificates as well as | |||
| skipping to change at line 60 ¶ | skipping to change at line 58 ¶ | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Revised BSD License text as described in Section 4.e of the | |||
| the Trust Legal Provisions and are provided without warranty as | Trust Legal Provisions and are provided without warranty as described | |||
| described in the Simplified BSD License. | in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction | 1. Introduction | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| 1.2. Data Structures | 1.2. Data Structures | |||
| 1.3. Major Differences from CT 1.0 | 1.3. Major Differences from CT 1.0 | |||
| 2. Cryptographic Components | 2. Cryptographic Components | |||
| 2.1. Merkle Trees | 2.1. Merkle Trees | |||
| 2.1.1. Definition of the Merkle Tree | 2.1.1. Definition of the Merkle Tree | |||
| skipping to change at line 2401 ¶ | skipping to change at line 2399 ¶ | |||
| The designated expert(s) should review the public specification to | The designated expert(s) should review the public specification to | |||
| ensure that it is detailed enough to ensure implementation | ensure that it is detailed enough to ensure implementation | |||
| interoperability. They should also verify that the extension is | interoperability. They should also verify that the extension is | |||
| appropriate to the contexts in which it is specified to be used (SCT, | appropriate to the contexts in which it is specified to be used (SCT, | |||
| STH, or both). | STH, or both). | |||
| 10.2.5. Log IDs | 10.2.5. Log IDs | |||
| IANA has established a registry of Log IDs, named "Log IDs". | IANA has established a registry of Log IDs, named "Log IDs". | |||
| The registry's registraton procedure is First Come First Served. | The registry's registration procedure is First Come First Served. | |||
| The "Log IDs" registry initially consists of: | The "Log IDs" registry initially consists of: | |||
| +================+==============+==============+===========+ | +================+==============+==============+===========+ | |||
| | Log ID | Log Base URL | Log Operator | Reference | | | Log ID | Log Base URL | Log Operator | Reference | | |||
| +================+==============+==============+===========+ | +================+==============+==============+===========+ | |||
| | 1.3.101.8192 - | Unassigned | Unassigned | | | | 1.3.101.8192 - | Unassigned | Unassigned | | | |||
| | 1.3.101.16383 | | | | | | 1.3.101.16383 | | | | | |||
| +----------------+--------------+--------------+-----------+ | +----------------+--------------+--------------+-----------+ | |||
| | 1.3.101.80.0 - | Unassigned | Unassigned | | | | 1.3.101.80.0 - | Unassigned | Unassigned | | | |||
| skipping to change at line 2479 ¶ | skipping to change at line 2477 ¶ | |||
| The initial values of the "Error Types" registry, which are taken | The initial values of the "Error Types" registry, which are taken | |||
| from the text in Section 5, are as follows: | from the text in Section 5, are as follows: | |||
| +===================+===================================+===========+ | +===================+===================================+===========+ | |||
| | Identifier | Meaning | Reference | | | Identifier | Meaning | Reference | | |||
| +===================+===================================+===========+ | +===================+===================================+===========+ | |||
| | malformed | The request could not be | RFC 9162 | | | malformed | The request could not be | RFC 9162 | | |||
| | | parsed. | | | | | parsed. | | | |||
| +-------------------+-----------------------------------+-----------+ | +-------------------+-----------------------------------+-----------+ | |||
| | badSubmission | submission is neither a valid | RFC 9162 | | | badSubmission | submission is neither a | RFC 9162 | | |||
| | | certificate nor a valid | | | | | valid certificate nor a | | | |||
| | | precertificate. | | | | | valid precertificate. | | | |||
| +-------------------+-----------------------------------+-----------+ | +-------------------+-----------------------------------+-----------+ | |||
| | badType | type is neither 1 nor 2. | RFC 9162 | | | badType | type is neither 1 nor 2. | RFC 9162 | | |||
| +-------------------+-----------------------------------+-----------+ | +-------------------+-----------------------------------+-----------+ | |||
| | badChain | The first element of chain is | RFC 9162 | | | badChain | The first element of chain | RFC 9162 | | |||
| | | not the certifier of the | | | | | is not the certifier of the | | | |||
| | | submission, or the second | | | | | submission, or the second | | | |||
| | | element does not certify the | | | | | element does not certify the | | | |||
| | | first, etc. | | | | | first, etc. | | | |||
| +-------------------+-----------------------------------+-----------+ | +-------------------+-----------------------------------+-----------+ | |||
| | badCertificate | One or more certificates in | RFC 9162 | | | badCertificate | One or more certificates in | RFC 9162 | | |||
| | | chain are not valid (e.g., | | | | | chain are not valid (e.g., | | | |||
| | | not properly encoded). | | | | | not properly encoded). | | | |||
| +-------------------+-----------------------------------+-----------+ | +-------------------+-----------------------------------+-----------+ | |||
| | unknownAnchor | The last element of chain | RFC 9162 | | | unknownAnchor | The last element of chain | RFC 9162 | | |||
| | | (or, if chain is an empty | | | | | (or, if chain is an empty | | | |||
| | | array, the submission) both | | | | | array, the submission) is | | | |||
| | | is not, and is not certified | | | | | not, nor is it certified by, | | | |||
| | | by, an accepted trust anchor. | | | | | an accepted trust anchor. | | | |||
| +-------------------+-----------------------------------+-----------+ | +-------------------+-----------------------------------+-----------+ | |||
| | shutdown | The log is no longer | RFC 9162 | | | shutdown | The log is no longer | RFC 9162 | | |||
| | | accepting submissions. | | | | | accepting submissions. | | | |||
| +-------------------+-----------------------------------+-----------+ | +-------------------+-----------------------------------+-----------+ | |||
| | firstUnknown | first is before the latest | RFC 9162 | | | firstUnknown | first is before the latest | RFC 9162 | | |||
| | | known STH but is not from an | | | | | known STH but is not from an | | | |||
| | | existing STH. | | | | | existing STH. | | | |||
| +-------------------+-----------------------------------+-----------+ | +-------------------+-----------------------------------+-----------+ | |||
| | secondUnknown | second is before the latest | RFC 9162 | | | secondUnknown | second is before the latest | RFC 9162 | | |||
| | | known STH but is not from an | | | | | known STH but is not from an | | | |||
| | | existing STH. | | | | | existing STH. | | | |||
| +-------------------+-----------------------------------+-----------+ | +-------------------+-----------------------------------+-----------+ | |||
| | secondBeforeFirst | second is smaller than first. | RFC 9162 | | | secondBeforeFirst | second is smaller than | RFC 9162 | | |||
| | | first. | | | ||||
| +-------------------+-----------------------------------+-----------+ | +-------------------+-----------------------------------+-----------+ | |||
| | hashUnknown | hash is not the hash of a | RFC 9162 | | | hashUnknown | hash is not the hash of a | RFC 9162 | | |||
| | | known leaf (may be caused by | | | | | known leaf (may be caused by | | | |||
| | | skew or by a known | | | | | skew or by a known | | | |||
| | | certificate not yet merged). | | | | | certificate not yet merged). | | | |||
| +-------------------+-----------------------------------+-----------+ | +-------------------+-----------------------------------+-----------+ | |||
| | treeSizeUnknown | hash is before the latest | RFC 9162 | | | treeSizeUnknown | hash is before the latest | RFC 9162 | | |||
| | | known STH but is not from an | | | | | known STH but is not from an | | | |||
| | | existing STH. | | | | | existing STH. | | | |||
| +-------------------+-----------------------------------+-----------+ | +-------------------+-----------------------------------+-----------+ | |||
| skipping to change at line 2932 ¶ | skipping to change at line 2931 ¶ | |||
| SignedCertificateTimestampList ::= OCTET STRING | SignedCertificateTimestampList ::= OCTET STRING | |||
| END | END | |||
| Acknowledgements | Acknowledgements | |||
| The authors would like to thank Erwann Abelea, Robin Alden, Andrew | The authors would like to thank Erwann Abelea, Robin Alden, Andrew | |||
| Ayer, Richard Barnes, Al Cutter, David Drysdale, Francis Dupont, Adam | Ayer, Richard Barnes, Al Cutter, David Drysdale, Francis Dupont, Adam | |||
| Eijdenberg, Stephen Farrell, Daniel Kahn Gillmor, Paul Hadfield, Brad | Eijdenberg, Stephen Farrell, Daniel Kahn Gillmor, Paul Hadfield, Brad | |||
| Hill, Jeff Hodges, Paul Hoffman, Jeffrey Hutzelman, Kat Joyce, | Hill, Jeff Hodges, Paul Hoffman, Jeffrey Hutzelman, Kat Joyce, Emilia | |||
| Stephen Kent, SM, Alexey Melnikov, Linus Nordberg, Chris Palmer, | Kasper, Stephen Kent, Adam Langley, SM, Alexey Melnikov, Linus | |||
| Trevor Perrin, Pierre Phaneuf, Eric Rescorla, Rich Salz, Melinda | Nordberg, Chris Palmer, Trevor Perrin, Pierre Phaneuf, Eric Rescorla, | |||
| Shore, Ryan Sleevi, Martin Smith, Carl Wallace, and Paul Wouters for | Rich Salz, Melinda Shore, Ryan Sleevi, Martin Smith, Carl Wallace, | |||
| their valuable contributions. | and Paul Wouters for their valuable contributions. | |||
| A big thank you to Symantec for kindly donating the OIDs from the | A big thank you to Symantec for kindly donating the OIDs from the | |||
| 1.3.101 arc that are used in this document. | 1.3.101 arc that are used in this document. | |||
| Authors' Addresses | Authors' Addresses | |||
| Ben Laurie | Ben Laurie | |||
| Google UK Ltd. | Google UK Ltd. | |||
| Email: benl@google.com | Email: benl@google.com | |||
| Adam Langley | ||||
| Google Inc. | ||||
| Email: agl@google.com | ||||
| Emilia Kasper | ||||
| Google Switzerland GmbH | ||||
| Email: ekasper@google.com | ||||
| Eran Messeri | Eran Messeri | |||
| Google UK Ltd. | Google UK Ltd. | |||
| Email: eranm@google.com | Email: eranm@google.com | |||
| Rob Stradling | Rob Stradling | |||
| Sectigo Ltd. | Sectigo Ltd. | |||
| Email: rob@sectigo.com | Email: rob@sectigo.com | |||
| End of changes. 9 change blocks. | ||||
| 35 lines changed or deleted | 24 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||