Re: [art] Is CT single-use origins or not? (Re: On BCP 190)
Jacob Hoffman-Andrews <jsha@letsencrypt.org> Wed, 24 July 2019 16:40 UTC
Return-Path: <jsha@letsencrypt.org>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42134120621 for <art@ietfa.amsl.com>; Wed, 24 Jul 2019 09:40:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HTigRIzCizj3 for <art@ietfa.amsl.com>; Wed, 24 Jul 2019 09:40:43 -0700 (PDT)
Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3CD012062E for <art@ietf.org>; Wed, 24 Jul 2019 09:40:39 -0700 (PDT)
Received: by mail-qk1-x72f.google.com with SMTP id s22so34251504qkj.12 for <art@ietf.org>; Wed, 24 Jul 2019 09:40:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FLzbXcghEoSaPUtwRtvihNjcH78Nt4Nu8SYixXrr3gE=; b=Ory7SVCl+11APElP3pMue7sWL34V1kTCuBy0caEL/eQBgCzd4iVA3gKA2fVrSBisjq tnOabRJad9heXxbUkU0jhm5La6EKUN1MRM1XsJ56nsz4tVg/lP4xZwBLKcsfVEdbzxVL rr2fErduegB0J44Og1dpfdkQ56J8F/KPCVu8w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FLzbXcghEoSaPUtwRtvihNjcH78Nt4Nu8SYixXrr3gE=; b=Rz7vZ26+DWTnga8r8gDdXyDTHryh5C2Xt2X0ybkxGSfwg7oW/ESRJo2nbq7IsgQLHQ aPPjV0va3fmcdluiEN4hC79wLhvSIf4WQrORXzdlWw1LSbENX9HAbYe9EDB/GgegXVF9 yDIA3ABt0Q64bx4Jp++dJEgNtgqLNWPKceLW/nCKvGhcM/WnmfJ3RXFaoVxDQSSbLDUF ZOyjpeIwAh8gyKZAR9Mjt4EQsW8s1vokaUcFBT7Gvoougf+noG9r2l2KEz0WKfqr6eua qlY/TUgidXrv43lVeVfmG3Vn+qvPACdVg/Th7t2TRP+79rxSR6PzOQ23O1z5fyG2sd2U gOoQ==
X-Gm-Message-State: APjAAAV3FTYRJteD7jDIBH0D976aP9VJbJlfVwQNZJ6jLbG91Xd4ZtnY yMFnBBuaPUNyxDk6Q0nAa/qw6tyZeRklG4yQvOqU7DBwTaU=
X-Google-Smtp-Source: APXvYqxY7Yfz6hG59CR4YLin9tm4VZ9RaLQ/+gkJCdCTIwsbaK+pwBbKJATUJHvKMitVnoPl+V+8+2igUy0CoHDdf9Y=
X-Received: by 2002:ae9:f801:: with SMTP id x1mr49551956qkh.242.1563986439128; Wed, 24 Jul 2019 09:40:39 -0700 (PDT)
MIME-Version: 1.0
References: <58BF6171-03BB-4F83-940F-3A101EFDD67F@mnot.net> <2ba63f8c-0f61-bd59-fbca-9d782a0d9818@mnt.se> <F81E44F7-7B51-4C68-9470-E94EFD2D4102@mnot.net> <e9780f61-681f-a5d9-7b06-549a2e652f5f@mnt.se> <42C8475A-6DFE-4DC6-B608-8159B90F9CDB@mnot.net> <55E6A246-4D77-44DA-AF2B-AA9C42FACC2F@mnt.se> <750cb62e-1256-4e3f-a072-438f6d468f2d@nostrum.com> <9847EF63-6BDE-4746-81C7-EA446FC5938E@mnt.se> <14ed2e66-938e-9ffd-7ff4-ef632c95db14@nostrum.com> <78D647A0-9DDF-444E-8FC0-38395892F054@mnot.net> <99D64809-8010-4E4D-B60E-DC7DD12C0F3B@mnt.se> <649DC0E7-513E-4004-BB9D-C94D9DD29AE7@mnot.net> <c2cb630c-1230-57c4-8688-27371eadabac@nomountain.net> <4B9A518C-6E90-444F-924E-4153AA0E27C7@mnot.net> <21f48b82-43b2-40c0-1590-075f05eaf4dc@nomountain.net> <5415fb69-b63c-ec92-5d66-8af730ff6959@nostrum.com>
In-Reply-To: <5415fb69-b63c-ec92-5d66-8af730ff6959@nostrum.com>
From: Jacob Hoffman-Andrews <jsha@letsencrypt.org>
Date: Wed, 24 Jul 2019 09:40:13 -0700
Message-ID: <CAN3x4Qn+ZQnetH1yBQ-Exe7ALfo-PbSUAr4TcL6j+hTkeDERmw@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: Melinda Shore <melinda.shore@nomountain.net>, Mark Nottingham <mnot@mnot.net>, art@ietf.org
Content-Type: multipart/alternative; boundary="000000000000235db6058e6ff8f6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/1lhPc4zGAMC8EwYGY_hBJyiPLUo>
Subject: Re: [art] Is CT single-use origins or not? (Re: On BCP 190)
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 16:40:50 -0000
On Wed, Jul 24, 2019 at 9:15 AM Adam Roach <adam@nostrum.com> wrote: > Is the mechanism defined in the "Certificate Transparency > Version 2.0" document constrained to run on an origin on > which no other services are present? > No, definitely not. In practice, that's how people have tended to deploy it, mainly because origins are cheap, and CT's high availability requirements mean you don't want your website maintenance events to cause downtime for your CT log. However, it's worth reiterating that CT logs are specified by origin + path prefix, and most CT logs coexist on a single origin with multiple other logs, distinguished by path prefix.
- [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Leif Johansson
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Leif Johansson
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Leif Johansson
- Re: [art] On BCP 190 Adam Roach
- Re: [art] On BCP 190 Leif Johansson
- Re: [art] On BCP 190 Adam Roach
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Leif Johansson
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Melinda Shore
- Re: [art] On BCP 190 Leif Johansson
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Melinda Shore
- [art] Is CT single-use origins or not? (Re: On BC… Adam Roach
- Re: [art] Is CT single-use origins or not? (Re: O… Jacob Hoffman-Andrews
- Re: [art] On BCP 190 Jacob Hoffman-Andrews
- Re: [art] Is CT single-use origins or not? (Re: O… Adam Roach
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Jacob Hoffman-Andrews
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Tony Finch
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Tony Finch
- Re: [art] On BCP 190 Jacob Hoffman-Andrews
- Re: [art] On BCP 190 Larry Masinter
- Re: [art] On BCP 190 Carsten Bormann
- Re: [art] On BCP 190 Jacob Hoffman-Andrews
- Re: [art] On BCP 190 Mark Nottingham
- [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] On BCP 190 Jacob Hoffman-Andrews
- Re: [art] Call for Consensus: Re: On BCP 190 Carsten Bormann
- Re: [art] Call for Consensus: Re: On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Stephen Farrell
- Re: [art] Call for Consensus: Re: On BCP 190 Rob Sayre
- Re: [art] On BCP 190 Tony Finch
- Re: [art] Call for Consensus: Re: On BCP 190 Rob Stradling
- Re: [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] Call for Consensus: Re: On BCP 190 John C Klensin
- Re: [art] Call for Consensus: Re: On BCP 190 Melinda Shore
- Re: [art] Call for Consensus: Re: On BCP 190 Mark Nottingham
- Re: [art] Call for Consensus: Re: On BCP 190 John C Klensin
- Re: [art] Call for Consensus: Re: On BCP 190 Ben Campbell
- Re: [art] Call for Consensus: Re: On BCP 190 John C Klensin
- Re: [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] Call for Consensus: Re: On BCP 190 John C Klensin
- Re: [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] Call for Consensus: Re: On BCP 190 John C Klensin
- Re: [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] Call for Consensus: Re: On BCP 190 John C Klensin
- Re: [art] Call for Consensus: Re: On BCP 190 Larry Masinter