draft-ietf-trans-rfc6962-bis-19.txt   draft-ietf-trans-rfc6962-bis-20.txt 
TRANS (Public Notary Transparency) B. Laurie TRANS (Public Notary Transparency) B. Laurie
Internet-Draft A. Langley Internet-Draft A. Langley
Intended status: Standards Track E. Kasper Intended status: Standards Track E. Kasper
Expires: March 4, 2017 E. Messeri Expires: May 4, 2017 E. Messeri
Google Google
R. Stradling R. Stradling
Comodo Comodo
August 31, 2016 October 31, 2016
Certificate Transparency Certificate Transparency
draft-ietf-trans-rfc6962-bis-19 draft-ietf-trans-rfc6962-bis-20
Abstract Abstract
This document describes a protocol for publicly logging the existence This document describes a protocol for publicly logging the existence
of Transport Layer Security (TLS) server certificates as they are of Transport Layer Security (TLS) server certificates as they are
issued or observed, in a manner that allows anyone to audit issued or observed, in a manner that allows anyone to audit
certification authority (CA) activity and notice the issuance of certification authority (CA) activity and notice the issuance of
suspect certificates as well as to audit the certificate logs suspect certificates as well as to audit the certificate logs
themselves. The intent is that eventually clients would refuse to themselves. The intent is that eventually clients would refuse to
honor certificates that do not appear in a log, effectively forcing honor certificates that do not appear in a log, effectively forcing
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 4, 2017. This Internet-Draft will expire on May 4, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 42, line 5 skipping to change at page 42, line 5
1. Compare "leaf_index" against "tree_size". If "leaf_index" is 1. Compare "leaf_index" against "tree_size". If "leaf_index" is
greater than or equal to "tree_size" fail the proof verification. greater than or equal to "tree_size" fail the proof verification.
2. Set "fn" to "leaf_index" and "sn" to "tree_size - 1". 2. Set "fn" to "leaf_index" and "sn" to "tree_size - 1".
3. Set "r" to "hash". 3. Set "r" to "hash".
4. For each value "p" in the "inclusion_path" array: 4. For each value "p" in the "inclusion_path" array:
If "sn" is 0, stop the iteration and fail the proof verification.
If "LSB(fn)" is set, or if "fn" is equal to "sn", then: If "LSB(fn)" is set, or if "fn" is equal to "sn", then:
1. Set "r" to "HASH(0x01 || p || r)" 1. Set "r" to "HASH(0x01 || p || r)"
2. If "LSB(fn)" is not set, then right-shift both "fn" and "sn" 2. If "LSB(fn)" is not set, then right-shift both "fn" and "sn"
equally until either "LSB(fn)" is set or "fn" is "0". equally until either "LSB(fn)" is set or "fn" is "0".
Otherwise: Otherwise:
1. Set "r" to "HASH(0x01 || r || p)" 1. Set "r" to "HASH(0x01 || r || p)"
skipping to change at page 51, line 30 skipping to change at page 51, line 30
<https://cabforum.org/wp-content/uploads/ <https://cabforum.org/wp-content/uploads/
EV_Certificate_Guidelines.pdf>. EV_Certificate_Guidelines.pdf>.
[I-D.ietf-trans-gossip] [I-D.ietf-trans-gossip]
Nordberg, L., Gillmor, D., and T. Ritter, "Gossiping in Nordberg, L., Gillmor, D., and T. Ritter, "Gossiping in
CT", draft-ietf-trans-gossip-03 (work in progress), July CT", draft-ietf-trans-gossip-03 (work in progress), July
2016. 2016.
[I-D.ietf-trans-threat-analysis] [I-D.ietf-trans-threat-analysis]
Kent, S., "Attack and Threat Model for Certificate Kent, S., "Attack and Threat Model for Certificate
Transparency", draft-ietf-trans-threat-analysis-08 (work Transparency", draft-ietf-trans-threat-analysis-10 (work
in progress), August 2016. in progress), October 2016.
[JSON.Metadata] [JSON.Metadata]
The Chromium Projects, "Chromium Log Metadata JSON The Chromium Projects, "Chromium Log Metadata JSON
Schema", 2014, <http://www.certificate-transparency.org/ Schema", 2014, <http://www.certificate-transparency.org/
known-logs/log_list_schema.json>. known-logs/log_list_schema.json>.
[RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate
Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013, Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013,
<http://www.rfc-editor.org/info/rfc6962>. <http://www.rfc-editor.org/info/rfc6962>.
 End of changes. 6 change blocks. 
6 lines changed or deleted 8 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/