IETF Logo Mail Archive

Re: [saag] [Trans] draft-iab-crypto-alg-agility-00

Ben Laurie <benl@google.com> Tue, 08 April 2014 14:08 UTC

Return-Path: <benl@google.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C3181A03FB for <saag@ietfa.amsl.com>; Tue, 8 Apr 2014 07:08:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.651
X-Spam-Level:
X-Spam-Status: No, score=-1.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pGwO79EW0XrS for <saag@ietfa.amsl.com>; Tue, 8 Apr 2014 07:08:20 -0700 (PDT)
Received: from mail-vc0-x22c.google.com (mail-vc0-x22c.google.com [IPv6:2607:f8b0:400c:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 59D551A03FC for <saag@ietf.org>; Tue, 8 Apr 2014 07:08:12 -0700 (PDT)
Received: by mail-vc0-f172.google.com with SMTP id la4so816243vcb.31 for <saag@ietf.org>; Tue, 08 Apr 2014 07:08:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=WOHk3q3zeh+/RuxLpGOaX/FppL+U8P5eXCPlclEEoGo=; b=Pj1OAJ6Maualo6g1NZJ7+dK+TAKgdPINu32DilWyFjJnEdGfVeJp7cSHP2l+/+Wrrl BHjP25Yhf4GEmjnoFOGdSDxGGYpKueKo4ABsznvkqPL2+DGvBekG8892pIGpwzXYOyhn 6b871w642AHhR3EwSs/0vfmhAZHeEx4fDxNi3I2ygHI8DAq7fNDsfOfQ5Ksq4sPcZCiZ J7wtKCcEca7KAvshyDb+svOtPWw3mQpds24tddpYwJmXgEKSiMczEyNFd+EqxzYSy/6K hHeMxpbPTiEU01Qu8nk6v7CEhma1JqN1yZbXo+4m+Q6OfRd+Q7mNw8en1lafVbR3MHgP /siA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=WOHk3q3zeh+/RuxLpGOaX/FppL+U8P5eXCPlclEEoGo=; b=W6OxA0W6ozjAxWwo2bIAzSWmXUC9gnUixjjBeur7XTLjBI2sOkiOKUq1E4lDHHGzeo hPji+0vsFIynBg+xEurTxIwm+BQSB89ZDq/q0oriVu8+gGuwdgxVy1LhxHhHv6ZCoyF8 VR62YEW+bGhG71da6ru8uT2RRT65Chingl1Lmm61zgmj8yY5GzoyCDc3gfzTiq/8RctT XQPL1dZXege1ptmn70xn+AjEOlpCLFkSum6Vp9PrNsMcX/nevBCk6C7gx0h/WuWgCvI4 w7ByTvrtEOm8rF3YzSmmJVL6wvivkuSmdHDDDSHQMvPN6Kl827vvMeVxXvCyEUvVS7uZ qa1g==
X-Gm-Message-State: ALoCoQmUJE3CQshyBFpSMN5UIEjCkIytKgTgzDNcEBgcVX5KZZf9UoygdadHRHBQTCsfdeacSe1GS8/nb1xeCx0TZ8CZRtNgYM9pYruA31b5KosHeoKPFece7c2c2+dZhTG5b234TCzgDyNPVVlfAYjrw0oL17Puuf+Sjs/aCt0FjrjiU1EfMqqTFDeiQMJjnOVm/MmnShUA
MIME-Version: 1.0
X-Received: by 10.58.31.136 with SMTP id a8mr3601978vei.20.1396966091996; Tue, 08 Apr 2014 07:08:11 -0700 (PDT)
Received: by 10.52.119.179 with HTTP; Tue, 8 Apr 2014 07:08:11 -0700 (PDT)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C7120AC18663@USMBX1.msg.corp.akamai.com>
References: <5999195E-9073-4649-A224-BF71BA61CBAF@vigilsec.com> <CAG5KPzzqSQ++YpQcnYesecL0GQ0+J0ieMXBrNk6txMAC58xEQQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120A04EBD0@USMBX1.msg.corp.akamai.com> <6.2.5.6.2.20140406121529.0bd2d730@resistor.net> <2A0EFB9C05D0164E98F19BB0AF3708C7120A04EBD7@USMBX1.msg.corp.akamai.com> <CAG5KPzxihe+k0x0njC+BANacmrrQyfU5RAY_EYcMYW2rx8DZfw@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED14@USMBX1.msg.corp.akamai.com> <CAG5KPzzzmJhcPfs0cJuS3f8Lu_Rua9dj0XWaOZ0RQ0Mwyd+egw@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120AC18663@USMBX1.msg.corp.akamai.com>
Date: Tue, 8 Apr 2014 15:08:11 +0100
Message-ID: <CABrd9SQaGTFzRaaxs7HNJ7uD_Bb=qPtCtTTsu-ZFYh+QAduzsg@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/saag/egckEXq01jX7j4pegNk9f2c01ts
Cc: "trans@ietf.org" <trans@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] [Trans] draft-iab-crypto-alg-agility-00
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 14:08:21 -0000

On 7 April 2014 20:08, Salz, Rich <rsalz@akamai.com> wrote:
> So the concern is log servers that are going to reserve the right to "go rogue" by using weak crypto that could be subverted?  Or is there a different concern?

Right, that's the concern.

> I believe this can be addressed by leaving the data formats future-proof, but mandating the crypto in the RFC. For example, put a hash identifier (OID, TLS id, whatever) in the hash entry, but the RFC says "MUST use SHA-256."  To make it even stronger, you could set up an IANA registry. Being pragmatic, nobody's going to implement anything other than what Chrome supports, at least at first. And by making log data self-identifying, you can (quietly) perform experiments on new crypto types.

As I responded to Steve, I agree that there should be an identifier,
but it belongs in the metadata about the logs. The RFC does not (and
arguably should not) specify how logs get that metadata, nor what
format it is in.

>
>         /r$
>
> --
> Principal Security Engineer
> Akamai Technology
> Cambridge, MA
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans



-- 
Certificate Transparency is hiring! Let me know if you're interested.

v2.8.7 | Report a Bug | By Email