Re: [saag] [pkix] Fwd: [therightkey] Certificate Transparency Working Group?
denis.pinkas@bull.net Thu, 06 September 2012 14:55 UTC
Return-Path: <denis.pinkas@bull.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55ED421F857A; Thu, 6 Sep 2012 07:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, MIME_BAD_LINEBREAK=0.5]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZFNyFpOSV97; Thu, 6 Sep 2012 07:55:48 -0700 (PDT)
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 1475821F8568; Thu, 6 Sep 2012 07:55:48 -0700 (PDT)
Received: from MSGC-003.bull.fr (MSGC-003.frcl.bull.fr [129.184.87.131]) by odin2.bull.net (Bull S.A.) with ESMTP id 41C3818170; Thu, 6 Sep 2012 16:55:47 +0200 (CEST)
MIME-Version: 1.0
Importance: Normal
X-Priority: 3 (Normal)
In-Reply-To: <5048B653.3080902@cs.tcd.ie>
References: <5048B653.3080902@cs.tcd.ie>, <CABrd9ST=8iRB6+d=Oka6nnM+xaZfPcR+NMx_QAF-8+_dq1XTig@mail.gmail.com>
X-Disclaimed: 1
From: denis.pinkas@bull.net
To: stephen.farrell@cs.tcd.ie
Message-ID: <OF7814676F.9D502DDE-ONC1257A71.00520289-C1257A71.0052028F@bull.net>
Date: Thu, 06 Sep 2012 16:55:46 +0200
X-Mailer: Lotus Domino Web Server Release 8.5.2FP1 November 29, 2010
X-MIMETrack: Serialize by HTTP Server on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 06/09/2012 16:55:46, Serialize complete at 06/09/2012 16:55:46, Itemize by HTTP Server on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 06/09/2012 16:55:46, Serialize by Router on MSGC-003/SRV/BULL(Release 8.5.2FP1|November 29, 2010) at 06/09/2012 16:55:47, Serialize complete at 06/09/2012 16:55:47
Content-Type: multipart/alternative; boundary="=_alternative 0052028CC1257A71_="
X-Mailman-Approved-At: Mon, 10 Sep 2012 05:18:56 -0700
Cc: pkix@ietf.org, wpkops@ietf.org, saag@ietf.org
Subject: Re: [saag] [pkix] Fwd: [therightkey] Certificate Transparency Working Group?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2012 14:55:49 -0000
Part of the stated objective (i.e. verify the issuance of public X.509 certificates) is currently addressed, within the context of OCSP, in : https://datatracker.ietf.org/doc/draft-pinkas-2560bis-certinfo/ This draft is being considered within the PKIX WG. The second part of the objective (i.e. making all public issued certificates available to applications) may be dangerous in many situations. Denis -----pkix-bounces@ietf.org a écrit : ----- A : "saag@ietf.org" <saag@ietf.org>, "'wpkops@ietf.org'" <wpkops@ietf.org>, pkix <pkix@ietf.org> De : Stephen Farrell Envoyé par : pkix-bounces@ietf.org Date : 06/09/2012 16:42 Objet : [pkix] Fwd: [therightkey] Certificate Transparency Working Group? Hi all, Please see below. Ben Laurie's looking to see if folks are interested in a BoF on Certificate Transparency for the IETF meeting in Altanta. Sean and I would be fine with that, if there's sufficient interest etc. Please follow up on therightkey@ietf.org if this is a topic that's of interest to you. Thanks, Stephen. -------- Original Message -------- Subject: [therightkey] Certificate Transparency Working Group? Date: Thu, 6 Sep 2012 15:32:05 +0100 From: Ben Laurie <benl@google.com> To: therightkey@ietf.org Would people be interested in starting a WG on Certificate Transparency? If so, how about a BoF in Atlanta? Here's a draft charter... CT IETF WG Draft Charter Objective Specify mechanisms and techniques that allow Internet applications to monitor and verify the issuance of public X.509 certificates such that all public issued certificates are available to applications, and each certificate seen by an application can be efficiently shown to be in the log of issued certificates. Furthermore, it should be possible to cryptographically verify the correct operation of the log. Optionally, do the same for certificate revocations. Problem Statement Currently it is possible for any CA to issue a certificate for any site without any oversight. This has led to some high profile mis-issuance of certificates, such as by DigiNotar, a subsidiary of VASCO Data Security International, in July 2011 (http://www.vasco.com/company/about_vasco/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx). The aim is to make it possible to detect such mis-issuance promptly through the use of a public log of all public issued certificates. Domain owners can then monitor this log and, upon detecting mis-issuance, take appropriate action. This public log must also be able to efficiently demonstrate its own correct operation, rather than introducing yet another party that must be trusted into the equation. Clients should also be able to efficiently verify that certificates they receive have indeed been entered into the public log. For revocations, the aim would be similar: ensure that revocations are as expected, that clients can efficiently obtain the revocation status of a certificate and that the log is operating correctly. Also, in both cases, the solution must be usable by browsers - this means that it cannot add any round trips to page fetches, and that any data transfers that are mandatory are of a reasonable size. _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
- [saag] Fwd: [therightkey] Certificate Transparenc… Stephen Farrell
- Re: [saag] [wpkops] [pkix] Fwd: [therightkey] Cer… Stephen Farrell
- Re: [saag] [pkix] Fwd: [therightkey] Certificate … Santosh Chokhani
- Re: [saag] [pkix] Fwd: [therightkey] Certificate … denis.pinkas