IETF Logo Mail Archive

Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC

Ben Laurie <benl@google.com> Mon, 19 November 2012 10:30 UTC

Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06B4E21F8499 for <therightkey@ietfa.amsl.com>; Mon, 19 Nov 2012 02:30:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ronKGd1xG7tC for <therightkey@ietfa.amsl.com>; Mon, 19 Nov 2012 02:30:24 -0800 (PST)
Received: from mail-wg0-f42.google.com (mail-wg0-f42.google.com [74.125.82.42]) by ietfa.amsl.com (Postfix) with ESMTP id 496F521F8488 for <therightkey@ietf.org>; Mon, 19 Nov 2012 02:30:24 -0800 (PST)
Received: by mail-wg0-f42.google.com with SMTP id fm10so1005792wgb.1 for <therightkey@ietf.org>; Mon, 19 Nov 2012 02:30:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4KgIZbVEjmr6i5xtSjl6+MjNx0ufu4L5dW6isKT7JZE=; b=JRa34V8MZJt2D0DM+/JaIkS8DoXoayFZEZ6uXy9/eQbK0AGUHLjm+WWsbEGoeKhKWk 7fNN/UsquK9xIrLyfWDUYnvYCYh/I9mUtA98labS5/DPtNMgMOP4E+Dnitc2V0cq+uj3 eyGw58/qCeLCCywV5/gPxLW4jizQXBVFzqhF1paIMSI/FoF2bZn3PY8EmVpEFeqS7spw 2WlrA26tYUdLxM9FHXF25BDNzJWlkdrmSQomXgUH/M5GPZaksIFPH1jIERrr5p1SFprP 8HIx7lzCb55L1h9Dik/Ni+jO2h8tP3ZtkGZRSIK58UsBpNWs4+j+QV3zNCoP63BCrWOs fo7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=4KgIZbVEjmr6i5xtSjl6+MjNx0ufu4L5dW6isKT7JZE=; b=WfJzD2l3/otyEQFMpGAd0sh0WF8IAonBVNacdRSi48Shh3QGT8wxjKBZfZAHjCc/Vs A/K+Gsvynn3s8Ru+W0NXuGlbbf2NxpWLR+/GkUbhWmZvcB5l8jDdRmApv9wT7RUq96LR PxKJxrGrXrZwU6h33Zb1ZJy888QmHZqvP91wPw865AufT+tPXuiJcD/mnIAJRq8FAYE9 y2EGCOkLhFGUsjJb2/hkdcH4RXZrIw0XSW0qyvmD6rwWiTh9q02dAzAGm7g5GHpXBnzN t/PfxmtAx6QEwbL2NdRgpsj7escVWZ2D2t/+PIVV2tYg4vHyoEGr3ctfjPOcBG0TTPt6 jhaQ==
MIME-Version: 1.0
Received: by 10.216.193.133 with SMTP id k5mr578655wen.74.1353321023157; Mon, 19 Nov 2012 02:30:23 -0800 (PST)
Received: by 10.194.51.100 with HTTP; Mon, 19 Nov 2012 02:30:23 -0800 (PST)
In-Reply-To: <CCCDA3EA.3648F%carl@redhoundsoftware.com>
References: <208851A7-84FB-4BF9-ACCE-18A931B146F6@vpnc.org> <CCCDA3EA.3648F%carl@redhoundsoftware.com>
Date: Mon, 19 Nov 2012 10:30:23 +0000
Message-ID: <CABrd9STSJjXD5RZq0_1Bb6UnNkNqDMEVNxACNKu8dGA3t4dQzw@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQmTNTXCW85QJYonrpV1GDtLrH3xrbSeBSFASQHEvkxf6n/cbWPpl57tUARdALN85s4/mm8WfDotajVz4cXfhxFH613IptMYykQrw8DTT4Y3MjvwOXQv+zqhirMBv8zxh0hQIjpv/Y193NK7vRcKAqfbJSgyL+n7Ph+MUUZ7fpjNCdXa7Q4/L+FCpZ8qDaDfWBoPxu2X
Cc: therightkey@ietf.org, Paul Wouters <paul@nohats.ca>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2012 10:30:25 -0000

On 18 November 2012 01:32, Carl Wallace <carl@redhoundsoftware.com> wrote:
> On 11/17/12 8:24 PM, "Paul Hoffman" <paul.hoffman@vpnc.org> wrote:
>
>>>And you cannot say "The CA industry" either, which is the answer for the
>>> CT-PKIX version.
>>
>>OK, so maybe you haven't been following the mailing list or reading the
>>draft. In the CT-for-PKIX proposal, individuals can submit their own
>>certificate.
>
> Under this approach, how does the log come to have certificates that a
> legitimate owner would like to be made aware of?  I understand the utility
> of including the CT in the certificate and having an individual submit
> their certificate (or the CA on their behalf) but locking down a log to
> these sorts of inputs would seem to limit their usefulness for detecting
> rogue certs.

The idea is that the log contains all certificates the browser might
otherwise say are valid. If the cert would not be validated by the
browser anyway, there's no real point it being in the log - and so,
for pragmatic reasons (i.e. spam prevention), our current plan is to
not allow such certificates to be logged.

v2.23.0 | Report a Bug | By Email