Re: [art] Is CT single-use origins or not? (Re: On BCP 190)
Adam Roach <adam@nostrum.com> Wed, 24 July 2019 16:58 UTC
Return-Path: <adam@nostrum.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5B9B12015B for <art@ietfa.amsl.com>; Wed, 24 Jul 2019 09:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.678
X-Spam-Level:
X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bAQRl5ML32Q for <art@ietfa.amsl.com>; Wed, 24 Jul 2019 09:58:54 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A27F6120059 for <art@ietf.org>; Wed, 24 Jul 2019 09:58:54 -0700 (PDT)
Received: from Orochi.local ([196.52.21.213]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id x6OGwo1t047161 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 24 Jul 2019 11:58:52 -0500 (CDT) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1563987533; bh=8NVxF5ku2vERcXBnMqoPzAO49ooyIRqerJh11NSZB0k=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=RV8I3oN6HcpFY46hmNfR7F+TF4K/gXrf1CGJEyir3lAgGw4B6zc+LNq3FNxIq2GW0 Q0XI8zCIGSx6IbkjlD+P7Jdz8vey3B4v5e+OyLYv594lRt/KlzKDAI9Wz4XFGEf2Xt SU1W5EdUsBFpMUoNk0IZyDuf7SM37a8EnwQoLcho=
X-Authentication-Warning: raven.nostrum.com: Host [196.52.21.213] claimed to be Orochi.local
To: Jacob Hoffman-Andrews <jsha@letsencrypt.org>
Cc: Melinda Shore <melinda.shore@nomountain.net>, Mark Nottingham <mnot@mnot.net>, art@ietf.org
References: <58BF6171-03BB-4F83-940F-3A101EFDD67F@mnot.net> <2ba63f8c-0f61-bd59-fbca-9d782a0d9818@mnt.se> <F81E44F7-7B51-4C68-9470-E94EFD2D4102@mnot.net> <e9780f61-681f-a5d9-7b06-549a2e652f5f@mnt.se> <42C8475A-6DFE-4DC6-B608-8159B90F9CDB@mnot.net> <55E6A246-4D77-44DA-AF2B-AA9C42FACC2F@mnt.se> <750cb62e-1256-4e3f-a072-438f6d468f2d@nostrum.com> <9847EF63-6BDE-4746-81C7-EA446FC5938E@mnt.se> <14ed2e66-938e-9ffd-7ff4-ef632c95db14@nostrum.com> <78D647A0-9DDF-444E-8FC0-38395892F054@mnot.net> <99D64809-8010-4E4D-B60E-DC7DD12C0F3B@mnt.se> <649DC0E7-513E-4004-BB9D-C94D9DD29AE7@mnot.net> <c2cb630c-1230-57c4-8688-27371eadabac@nomountain.net> <4B9A518C-6E90-444F-924E-4153AA0E27C7@mnot.net> <21f48b82-43b2-40c0-1590-075f05eaf4dc@nomountain.net> <5415fb69-b63c-ec92-5d66-8af730ff6959@nostrum.com> <CAN3x4Qn+ZQnetH1yBQ-Exe7ALfo-PbSUAr4TcL6j+hTkeDERmw@mail.gmail.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <58da5d86-67f9-3b51-d30e-0f3f6c1fbf3c@nostrum.com>
Date: Wed, 24 Jul 2019 12:58:40 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <CAN3x4Qn+ZQnetH1yBQ-Exe7ALfo-PbSUAr4TcL6j+hTkeDERmw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------327266DD3DA5353C4350F759"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/LkeZ9U9hzx6f-5-4ov5q8LZbyAk>
Subject: Re: [art] Is CT single-use origins or not? (Re: On BCP 190)
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 16:58:56 -0000
On 7/24/19 12:40, Jacob Hoffman-Andrews wrote: > On Wed, Jul 24, 2019 at 9:15 AM Adam Roach <adam@nostrum.com > <mailto:adam@nostrum.com>> wrote: > > Is the mechanism defined in the "Certificate Transparency > Version 2.0" document constrained to run on an origin on > which no other services are present? > > > No, definitely not. In practice, that's how people have tended to > deploy it, mainly because origins are cheap, and CT's high > availability requirements mean you don't want your website maintenance > events to cause downtime for your CT log. Thanks for the clear answer. Given this information, I would to ask that we *not* focus on the question of whether single-use origins can reasonably have more lax restrictions than other origins, at least until we figure out the question of how to handle the CT document. To be clear: I'd like the ART community to discuss this topic at some point, but I don't want to hold up the CT document on its conclusion. This is a request to *defer* the conversation, not a request to abandon it. /a
- [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Leif Johansson
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Leif Johansson
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Leif Johansson
- Re: [art] On BCP 190 Adam Roach
- Re: [art] On BCP 190 Leif Johansson
- Re: [art] On BCP 190 Adam Roach
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Leif Johansson
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Melinda Shore
- Re: [art] On BCP 190 Leif Johansson
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Melinda Shore
- [art] Is CT single-use origins or not? (Re: On BC… Adam Roach
- Re: [art] Is CT single-use origins or not? (Re: O… Jacob Hoffman-Andrews
- Re: [art] On BCP 190 Jacob Hoffman-Andrews
- Re: [art] Is CT single-use origins or not? (Re: O… Adam Roach
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Jacob Hoffman-Andrews
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Tony Finch
- Re: [art] On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Tony Finch
- Re: [art] On BCP 190 Jacob Hoffman-Andrews
- Re: [art] On BCP 190 Larry Masinter
- Re: [art] On BCP 190 Carsten Bormann
- Re: [art] On BCP 190 Jacob Hoffman-Andrews
- Re: [art] On BCP 190 Mark Nottingham
- [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] On BCP 190 Jacob Hoffman-Andrews
- Re: [art] Call for Consensus: Re: On BCP 190 Carsten Bormann
- Re: [art] Call for Consensus: Re: On BCP 190 Mark Nottingham
- Re: [art] On BCP 190 Stephen Farrell
- Re: [art] Call for Consensus: Re: On BCP 190 Rob Sayre
- Re: [art] On BCP 190 Tony Finch
- Re: [art] Call for Consensus: Re: On BCP 190 Rob Stradling
- Re: [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] Call for Consensus: Re: On BCP 190 John C Klensin
- Re: [art] Call for Consensus: Re: On BCP 190 Melinda Shore
- Re: [art] Call for Consensus: Re: On BCP 190 Mark Nottingham
- Re: [art] Call for Consensus: Re: On BCP 190 John C Klensin
- Re: [art] Call for Consensus: Re: On BCP 190 Ben Campbell
- Re: [art] Call for Consensus: Re: On BCP 190 John C Klensin
- Re: [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] Call for Consensus: Re: On BCP 190 John C Klensin
- Re: [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] Call for Consensus: Re: On BCP 190 John C Klensin
- Re: [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] Call for Consensus: Re: On BCP 190 Adam Roach
- Re: [art] Call for Consensus: Re: On BCP 190 John C Klensin
- Re: [art] Call for Consensus: Re: On BCP 190 Larry Masinter