Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
Ben Laurie <benl@google.com> Mon, 19 November 2012 13:08 UTC
Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDF3F21F85EB for <therightkey@ietfa.amsl.com>; Mon, 19 Nov 2012 05:08:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V90JXdEHSEUw for <therightkey@ietfa.amsl.com>; Mon, 19 Nov 2012 05:08:23 -0800 (PST)
Received: from mail-wg0-f42.google.com (mail-wg0-f42.google.com [74.125.82.42]) by ietfa.amsl.com (Postfix) with ESMTP id 281A921F855E for <therightkey@ietf.org>; Mon, 19 Nov 2012 05:08:22 -0800 (PST)
Received: by mail-wg0-f42.google.com with SMTP id fm10so1076204wgb.1 for <therightkey@ietf.org>; Mon, 19 Nov 2012 05:08:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KWTcRu8o+/FL0D4h0EWhVIVvDLp4ECPEH+oWjV0gJGw=; b=NSQgqzSt/3bEra73l2klal3a1sfwnHi4KODUtBwuMRMHzJ3yxP5exvIW1R7jgIwlJ1 KXYQL+P39hHtG9LWqZ+WaCsEeaHRy96VTVptqiUonnPXBg+nUqo0MYzwqgdLKBw6KZ1v 9zEXToq3pk8XoGSmrfhMtFndirH6bO0bZAn7sHe7iwIrFeYKk+uippwIN8Qf6ul092Ot Sqh542xq/yc9iQmr247Gpj3yIihZOd6R51XJ7tnGvZX1cPpOMy7dfPIpnDsp1T8j+dk4 jAcsreR8QaawbB02jLIubtOtHUq0aZRTGgW8A4Yqat5kEjgNH4uQoWb7DEwRlLjUtWwi gSyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=KWTcRu8o+/FL0D4h0EWhVIVvDLp4ECPEH+oWjV0gJGw=; b=lsyoHA5DZ6VmRdGnPnzWlnMIc07/FDFl55Co8ylM3Q9BTwl6so1fcWQvd2VeyrqwoI 2YwMxgPWMumH18hZPVFBuIdgOXgbhIP4+KY3HXPTn4lFlLl1OViFp2Oz8UaYL/YL6ggv eaN+2fZKk8iwwLgD7im68xXTD7skcEojBAe9QGRot1tTblEwGLY8aczUPD/K1WVcpoyU COLjAZpmkVOg7zaFfOremzD2R+jZXHWtNpXiuFP6r96WCjjkoacTirS/+ANu2rGenj+C 9uRwH+a73H1jkvzerXIq30Dr5nCsUygVHtTLp11pq8YIwW8/LCxqtCzggSES38PrbM3g wE6g==
MIME-Version: 1.0
Received: by 10.180.14.2 with SMTP id l2mr3022392wic.2.1353330502001; Mon, 19 Nov 2012 05:08:22 -0800 (PST)
Received: by 10.194.51.100 with HTTP; Mon, 19 Nov 2012 05:08:21 -0800 (PST)
In-Reply-To: <CCCF8519.364EA%carl@redhoundsoftware.com>
References: <CABrd9STSJjXD5RZq0_1Bb6UnNkNqDMEVNxACNKu8dGA3t4dQzw@mail.gmail.com> <CCCF8519.364EA%carl@redhoundsoftware.com>
Date: Mon, 19 Nov 2012 13:08:21 +0000
Message-ID: <CABrd9SQrtaKTupOhPRyuomHaEXRopCE+vw_aqaYjC-F7uEKfwA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQnHjZuNQm+v3If99a5DopE1DR5D5CFInG6ACbpKeYWrtsXDU8hD2Vs0F+SwamtB5bi/sAwiAIPyWZkBS/jm4rlbKx3HwF+BFrgRerRSCRTyXnZwWYtmRyiN1uktqUf3J1mCjpxPN9/4RO92RI3reZ2qxFdRgjmIr0gQL8MFcrNgri/mufpqPNsSESGUrNG9uVm/jYJr
Cc: therightkey@ietf.org, Paul Wouters <paul@nohats.ca>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2012 13:08:24 -0000
On 19 November 2012 11:49, Carl Wallace <carl@redhoundsoftware.com> wrote: > On 11/19/12 5:30 AM, "Ben Laurie" <benl@google.com> wrote: > >>On 18 November 2012 01:32, Carl Wallace <carl@redhoundsoftware.com> wrote: >>> On 11/17/12 8:24 PM, "Paul Hoffman" <paul.hoffman@vpnc.org> wrote: >>> >>>>>And you cannot say "The CA industry" either, which is the answer for >>>>>the >>>>> CT-PKIX version. >>>> >>>>OK, so maybe you haven't been following the mailing list or reading the >>>>draft. In the CT-for-PKIX proposal, individuals can submit their own >>>>certificate. >>> >>> Under this approach, how does the log come to have certificates that a >>> legitimate owner would like to be made aware of? I understand the >>>utility >>> of including the CT in the certificate and having an individual submit >>> their certificate (or the CA on their behalf) but locking down a log to >>> these sorts of inputs would seem to limit their usefulness for detecting >>> rogue certs. >> >>The idea is that the log contains all certificates the browser might >>otherwise say are valid. If the cert would not be validated by the >>browser anyway, there's no real point it being in the log - and so, >>for pragmatic reasons (i.e. spam prevention), our current plan is to >>not allow such certificates to be logged. > > That is only true for browsers that hard fail on missing/broken CT > extensions. What is only true? That there's no point it being in the log if the browser would reject it anyway? I don't understand that. > I've not followed why hard failing on this is expected to > work but not for other existing mechanisms. We still have 15+ year olds > extensions that don't cause hard failures. Pushing the extension into the > certificate and only accepting certs that have it just makes this part of > the issuance machinery. The extension does not have to be in the certificate, it can also be in the TLS handshake. > In any case, I have a hard time seeing why you would reject certificates > signed by a public CA (or any other CA that is covered by the log). CA > operators and legitimate domain owners should be interested in these and > the signature check ought to be good enough for spam prevention unless > things are more broken than is commonly reported. We would not reject them. Why do you think we would?
- [therightkey] Defining CT-for-PKIX and CT-for-DNS… Paul Hoffman
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Shumon Huque
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Richard L. Barnes
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Hoffman
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Wouters
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Hoffman
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Wouters
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Tom Ritter
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie