Re: CT-Policy (was: Comments on draft-stark-expect-ct-00)

Martin Thomson <> Thu, 24 November 2016 03:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D176A12943A for <>; Wed, 23 Nov 2016 19:47:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.498
X-Spam-Status: No, score=-8.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z4m5My5By1Nj for <>; Wed, 23 Nov 2016 19:47:07 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C2CBF129533 for <>; Wed, 23 Nov 2016 19:47:07 -0800 (PST)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1c9kwF-0008Ot-4B for; Thu, 24 Nov 2016 03:43:07 +0000
Resent-Date: Thu, 24 Nov 2016 03:43:07 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1c9kw6-0008O4-C2 for; Thu, 24 Nov 2016 03:42:58 +0000
Received: from ([]) by with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <>) id 1c9kw0-0002pG-Hr for; Thu, 24 Nov 2016 03:42:53 +0000
Received: by with SMTP id c47so29749347qtc.2 for <>; Wed, 23 Nov 2016 19:42:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dheAEDBfHekKvFk5Kmk0Ja1aZ8GdHlQZteMlPYqQ+Pc=; b=Y5hxw1oKtgQES79iCpBOg4e+s4ra24IsdOEea4L7mkfrf4QLH2yXTjBWIkugCcril/ OLtg2NYT0xS+xJPnc7QYiXs/i5yuObu6DXQyXs5flJXxvj2wTgGniqnZJ0oI52Z4HjuA dW7MFUdvaIcZOtgNWJnGz1BLU+yT6cwH4VO34Oq+lwDW+Fd61p/WrpS0RS6MxpCpNnQo OQuxkeoUrr5FfFtPTyJAGI2bQzDNMynEXqRa7GL9E+Bw6sEaw8Rd9cIebOWQ26GB8Cex s4mzJVCUbEuDfQ3+KWdCCL22579FzsMyRjOaiZ8ujCTncijmw9m/VmBH5boNR1RPn8F7 6v8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dheAEDBfHekKvFk5Kmk0Ja1aZ8GdHlQZteMlPYqQ+Pc=; b=LNhnDRSKqueVCkxFpKosUOETULym7EikyxRo3vgjb80dodyOAs+os3+7efPGHAw0rq 2TDdrQ86hEqDwaC9XOG03AQA9ruU8++PeRj6l3joxoFADt3Qheblw0EMrjxN5I0lidsU hkCKSYdAnBg09yWgWkf37Cbxe0XutFd1FYeUxvDsTSNycHak8B1DLjofLJ2wjONB+Ylv nIX+nMEo2AzuENrMFrXfCR9zqvcdIxMEcIXPdDCVAwiXEcVNKjm0vBdzUnTyV1w2pETB AJz0urRQ+oFt/R6o7tcJv/Z/x05Hrh6sYERRyEn1cnonVOpJKHghtOOmJ8XsoXsL14Ir YoQg==
X-Gm-Message-State: AKaTC00ybbMWnc4dxdA5mSIF6s3Elb9cfnxFdm5CR5H/lyKHbfQgrG89viuE7HlP65bmnMcx/Ecsq4+4Efnqfg==
X-Received: by with SMTP id g30mr203507qtd.144.1479958946559; Wed, 23 Nov 2016 19:42:26 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Wed, 23 Nov 2016 19:42:26 -0800 (PST)
In-Reply-To: <>
References: <>
From: Martin Thomson <>
Date: Thu, 24 Nov 2016 14:42:26 +1100
Message-ID: <>
To: =JeffH <>
Cc: Emily Stark <>, IETF HTTP WG <>, Eric Rescorla <>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-6.4
X-W3C-Hub-Spam-Report: AWL=0.353, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1c9kw0-0002pG-Hr 46e19b50dcb87940b69b70f748c74e82
Subject: Re: CT-Policy (was: Comments on draft-stark-expect-ct-00)
Archived-At: <>
X-Mailing-List: <> archive/latest/32986
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 24 November 2016 at 13:33, =JeffH <> wrote:
>> Do you think it would be reasonable to reference the Chromium +
>> Mozilla CT policies but not define a particular policy in a normative
>> way?
> yep :)

If HSTS is our benchmark, and that benchmark is so nebulous then it's
a bad one.  The objection that ekr raised was fair: how do I know what
baseline I have to reach in order to avoid the footgun.

Maybe there are weasel words that can be used to allow browsers to
choose their own logs.  But can we at least write down the basics: the
certificate is logged, the TLS handshake includes an SCT, etc...
Surely the current set of policies indicates a common set of
principles that can be written into a specification.

If we're well outside 6962 territory and into policy land, at least
proscribe what falls into policy.  Reading the Mozilla policy, it
seems like number and choice of logs might be the only places where
variation is possible.