Re: Call for Adoption: Expect-CT

Alessandro Ghedini <alessandro@ghedini.me> Sat, 10 December 2016 14:19 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1E6312944B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 10 Dec 2016 06:19:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.897
X-Spam-Level:
X-Spam-Status: No, score=-9.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.896, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ghedini.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JwlRo7KqUb6l for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 10 Dec 2016 06:19:23 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 302A112944A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 10 Dec 2016 06:19:22 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cFiRS-0003bI-7T for ietf-http-wg-dist@listhub.w3.org; Sat, 10 Dec 2016 14:15:58 +0000
Resent-Date: Sat, 10 Dec 2016 14:15:58 +0000
Resent-Message-Id: <E1cFiRS-0003bI-7T@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <alessandro@ghedini.me>) id 1cFiRF-0003aC-Gi for ietf-http-wg@listhub.w3.org; Sat, 10 Dec 2016 14:15:45 +0000
Received: from marceline.ghedini.me ([151.236.26.30]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <alessandro@ghedini.me>) id 1cFiR9-0008AK-7l for ietf-http-wg@w3.org; Sat, 10 Dec 2016 14:15:40 +0000
Received: from localhost (82-69-45-54.dsl.in-addr.zen.co.uk [82.69.45.54]) by marceline.ghedini.me (Postfix) with ESMTPSA id C15582078B; Sat, 10 Dec 2016 14:15:15 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ghedini.me; s=mail; t=1481379315; bh=df1Z5isYbiF1bKj+YtWH6Zhw0GzzFNzguX0HVans6xM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Q7IHJdf1z/4SWewjV2Qw3xf+ote6jD5qKIdTxqLE5waQ00kFop2f/44TbadCN37Nz BDOp2Bv2zY9MPpDkAj4QQlvAc4bwPiapBbcyGGs8XclCLZOdn8sTP2I0HEymwPYLww k6z4s3tT8RSUGbn2ph1Joo9/aUsZalPMw7XDHHTc=
Date: Sat, 10 Dec 2016 14:15:14 +0000
From: Alessandro Ghedini <alessandro@ghedini.me>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Patrick McManus <mcmanus@ducksong.com>
Message-ID: <20161210141514.25yserfi74cb3ppk@pinky.local>
References: <6B6FE4E1-D020-44B1-9F45-07202552E606@mnot.net> <972514F9-6237-4420-97AB-000655A0662E@gbiv.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <972514F9-6237-4420-97AB-000655A0662E@gbiv.com>
User-Agent: NeoMutt/20161126 (1.7.1)
Received-SPF: pass client-ip=151.236.26.30; envelope-from=alessandro@ghedini.me; helo=marceline.ghedini.me
X-W3C-Hub-Spam-Status: No, score=-7.0
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1cFiR9-0008AK-7l 7dc298d9bb5e1c46388d5b98cfc44d94
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: Expect-CT
Archived-At: <http://www.w3.org/mid/20161210141514.25yserfi74cb3ppk@pinky.local>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33151
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, Dec 09, 2016 at 12:13:15PM -0800, Roy T. Fielding wrote:
> Why is this not a TLS option, preferably signaled by an attribute of the
> certificate itself?

I don't have strong opinions about HTTP header vs TLS extension, but making
this an x509 extensions would severely impact adoption of this mechanism in
the short and medium terms since it would require explicit support from CAs.

Might be worth noting that by using an HTTP header a site behind a third-party
CDN could in theory implement the mechanism itself without support from the
CDN (whether this is a useful thing is unclear though).

Cheers