Re: CT-Policy (was: Comments on draft-stark-expect-ct-00)

Martin Thomson <martin.thomson@gmail.com> Fri, 25 November 2016 01:01 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D8D112A110 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 24 Nov 2016 17:01:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.498
X-Spam-Level:
X-Spam-Status: No, score=-8.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FFcLaMO5aGYY for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 24 Nov 2016 17:01:12 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DB591296B7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 24 Nov 2016 16:59:22 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cA4o7-0003mL-9r for ietf-http-wg-dist@listhub.w3.org; Fri, 25 Nov 2016 00:56:03 +0000
Resent-Date: Fri, 25 Nov 2016 00:56:03 +0000
Resent-Message-Id: <E1cA4o7-0003mL-9r@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1cA4o1-0003iR-Ex for ietf-http-wg@listhub.w3.org; Fri, 25 Nov 2016 00:55:57 +0000
Received: from mail-qk0-f175.google.com ([209.85.220.175]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <martin.thomson@gmail.com>) id 1cA4nv-0005l5-Pc for ietf-http-wg@w3.org; Fri, 25 Nov 2016 00:55:52 +0000
Received: by mail-qk0-f175.google.com with SMTP id q130so64076757qke.1 for <ietf-http-wg@w3.org>; Thu, 24 Nov 2016 16:55:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=29xQI93NK5cIXGfYmGeAUndPkMvPG4PETbifYpJx3HA=; b=f5b9nO7oD79WxHHGVtEX5XH8hAceFud2vHzIo6HT/kKtny6iDatu4DNLUZVCVluJCT H4NS9c9B/mBynflkHD8P0ggHPJJlBvopDWZZMsZsBOtNIwm28jPydYd7tF/8jAnXTMI9 pd3v7cHKrUzbOBQSvucIeXZdojHmfFIi7+QvSDKOvqckcrqEWOgo+fyXPGQoiSjSu+OU M6MLGtlY/5rIx6n/1V1qrwpPnV7IgN13n6fyAYDRePT11izRlSr+oBWu4oWVH2lL8a2j laOGcLFHf40rh9SwOaC8TTLWtbuHNHxB0Ijhz3FQdCBHeS3ivCqaQMkHD0GQTdiUPODS zx7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=29xQI93NK5cIXGfYmGeAUndPkMvPG4PETbifYpJx3HA=; b=jKlpAUIHuRyZU4vQens8lwX1RW8lgOECievBAso6GSfrhwT2t8tZU+tg5a3KkO3H7g /wtDoCOo0pLpTHXqGO8uZ48auFMgVttfUDgmOIjLTwJceTfz4uqdYmed1npOzIqjhlyk qL+ZPisH1FFZisN/JGDRYdyTJQnIy5M+r9BNqXJAElyyagZbUO7KCdvLx+Io9VOOIQ5E JeecMR3uMsQWNlUpB2qD/8lqZraFVfosgfU63YxHAuVgzkhHQP7OySBaGTl0nmNTCqbC 2tznU5W57tDq7/d/ctP85z3UT/BTFCp6rPBOqPm9uIOxPzK8sE5Bb9qdtQlUDYhF8YvJ fVNg==
X-Gm-Message-State: AKaTC02XgLLiOE5X89huE+wjldwyTHqrmS8nDi0XHGOTz7ofCh+KyS1um2LPtk3BPw7XaY7iPfBTuxrQi7DAxA==
X-Received: by 10.55.99.141 with SMTP id x135mr4163017qkb.147.1480035325657; Thu, 24 Nov 2016 16:55:25 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.85.101 with HTTP; Thu, 24 Nov 2016 16:55:25 -0800 (PST)
In-Reply-To: <CAPP_2SZheZgt4nyeaM2A-nyBDBZ9VsaWTP0cQtHsxEr6mJzxug@mail.gmail.com>
References: <0514193c-a27d-4510-5c2f-caf82162bfc3@KingsMountain.com> <CABkgnnWhMz0pf7P55Drp1w3vVgY2w90kTPmOzQ-He1CJnnWUJQ@mail.gmail.com> <CAPP_2SZheZgt4nyeaM2A-nyBDBZ9VsaWTP0cQtHsxEr6mJzxug@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 25 Nov 2016 11:55:25 +1100
Message-ID: <CABkgnnXTUf6E6+Poj1Vgx5P08+AzO1qtKNvnibzA0wHPeaxngA@mail.gmail.com>
To: Emily Stark <estark@google.com>
Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>, IETF HTTP WG <ietf-http-wg@w3.org>, Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset=UTF-8
Received-SPF: pass client-ip=209.85.220.175; envelope-from=martin.thomson@gmail.com; helo=mail-qk0-f175.google.com
X-W3C-Hub-Spam-Status: No, score=-6.4
X-W3C-Hub-Spam-Report: AWL=0.343, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1cA4nv-0005l5-Pc ea0ce4ef22980327d93f7b3ce95ff615
X-Original-To: ietf-http-wg@w3.org
Subject: Re: CT-Policy (was: Comments on draft-stark-expect-ct-00)
Archived-At: <http://www.w3.org/mid/CABkgnnXTUf6E6+Poj1Vgx5P08+AzO1qtKNvnibzA0wHPeaxngA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33004
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 25 November 2016 at 02:52, Emily Stark <estark@google.com> wrote:
> But I do think it would be reasonable to advise site operators of the shape
> that a CT policy generally takes and what the moving parts are in practice
> (which is maybe what your point below is getting at).

Yes.  This.

Ideally it would also describe the maximal policy, so an operator
could know where the bar is.  But that's impossible without
enumerating the set of possible log operators and I don't think we
want that.