IETF Logo Mail Archive

Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Chema López González <clopez@firmaprofesional.com> Mon, 10 February 2014 16:29 UTC

Return-Path: <me@chemalogo.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A0EA1A07EE for <therightkey@ietfa.amsl.com>; Mon, 10 Feb 2014 08:29:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.667
X-Spam-Level:
X-Spam-Status: No, score=-1.667 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, T_REMOTE_IMAGE=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ln93eOwXbFjy for <therightkey@ietfa.amsl.com>; Mon, 10 Feb 2014 08:29:18 -0800 (PST)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 9AFAE1A06DC for <therightkey@ietf.org>; Mon, 10 Feb 2014 08:29:18 -0800 (PST)
Received: by mail-qa0-f51.google.com with SMTP id f11so9738779qae.24 for <therightkey@ietf.org>; Mon, 10 Feb 2014 08:29:18 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=DqqAPnlObq4NoZ0+R9GIcvKzoMAUbxN+ORAC5GTbC2Q=; b=gN+xDxFyf6Es45K5Ouo66msbLtIj9+Yx0T2/0i5XVS/ax/X8GShe6uTMEXtvjGe+BB 2duXtWHg/EiIxqYB4vYqJHQRURfUYESbPMZGAnhhzgcxPPUHrgqnJZyw7RyulYAzN1kr 6eiFC/KtUa6GR7AWaINURB8XEAkiH2zLkj6w8ldCJNCaGzij8b6XO8skkNwUuRQXHWGI PZVzAbulzHFFFJ1wbXroLvB4Y7xZMuqg58bWZJ0Er1jhDbyDlSisr84xUkBBSjDvVXUe gRaabfT1Nxug/emtl7p9tbmi4kz2PbKVjrgoeWGadsY/YNh5iF2cqDt79UxTSKqr5PSC nxPQ==
X-Gm-Message-State: ALoCoQlcOkYurA7k9MIADmH+rS3zFKSO9oE8U460PHYqrE59sR1VX3FfsICIQIL/85KqPvdpxp68
X-Received: by 10.229.139.199 with SMTP id f7mr45030498qcu.2.1392049757961; Mon, 10 Feb 2014 08:29:17 -0800 (PST)
MIME-Version: 1.0
Sender: me@chemalogo.com
Received: by 10.140.101.197 with HTTP; Mon, 10 Feb 2014 08:28:47 -0800 (PST)
X-Originating-IP: [84.88.59.1]
In-Reply-To: <52F8BCF5.4060506@comodo.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <52F25835.60702@comodo.com> <CAL9PXLzCqvBGW=Du9ZAdMXiVgcO8WJHXf+wG7EuzE2246TFEmg@mail.gmail.com> <52F27445.6040701@comodo.com> <CAL9PXLzfatu_2LNCrCAKZWYLJArXE7+PDXswGD5fYK0byg-iJQ@mail.gmail.com> <52F2811A.9030800@comodo.com> <CABrd9SSxLCMOFv7GszzDf-xbZMYUTP6N3WSbK=8NOM=nCBy=Bg@mail.gmail.com> <52F8A650.6060209@comodo.com> <CABrd9SSOijFe+B_zXoXKzVz67JPgFsj5g6+urBZ=R9QvYhWETA@mail.gmail.com> <52F8BCF5.4060506@comodo.com>
From: Chema López González <clopez@firmaprofesional.com>
Date: Mon, 10 Feb 2014 17:28:47 +0100
X-Google-Sender-Auth: -LINmhKDthOG1v0bOtZr-pX4w3c
Message-ID: <CAPZr7T+t7vcjoKo1u_7VRWAizysG3QJ-RSiJ7WnVoGNFDi2gqA@mail.gmail.com>
To: Rob Stradling <rob.stradling@comodo.com>, certificate-transparency@googlegroups.com
Content-Type: multipart/alternative; boundary="001a11c3e454555f7f04f20fd797"
X-Mailman-Approved-At: Mon, 10 Feb 2014 17:03:12 -0800
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2014 19:23:56 -0000

Have anyone take into account the current position of
EJBCA<http://blog.ejbca.org/2013/09/certificate-transparency-and.html>,
a mayor player in this stuff of digital certificates?

To summarize:

"My suggestion:
- Skip PreCertificates altogether"


On the other hand, trying to use a thing that looks like a certificate
(X.509v3) not to do the task of a certificate is like trying to use a
screwdriver to nail nails.

We agree that the information contained in the precertificate is relevant,
and that the signature of such information is also necessary, but maybe the
container could be a different format or ASN.1 structure different from a
X.509v3 cert.






[image: AC Firmaprofesional S.A.] <http://www.firmaprofesional.com/>




*Chema López González AC Firmaprofesional S.A.*


Av. Torre Blanca, 57.
Edificio ESADECREAPOLIS - 1B13

08173 Sant Cugat del Vallès. Barcelona.
Tel: 93.477.42.45 / 666.429.224

El contenido de este mensaje y de sus anexos es confidencial. Si no es el
destinatario, le hacemos saber que está prohibido utilizarlo, divulgarlo
y/o copiarlo sin tener la autorización correspondiente. Si ha recibido este
mensaje por error, le agradeceríamos que lo haga saber inmediatamente al
remitente y que proceda a destruir el mensaje.


On Mon, Feb 10, 2014 at 12:50 PM, Rob Stradling <rob.stradling@comodo.com>wrote:

> On 10/02/14 11:35, Ben Laurie wrote:
> > On 10 February 2014 10:13, Rob Stradling <rob.stradling@comodo.com>
> wrote:
> >> On 08/02/14 13:32, Ben Laurie wrote:
> >>>
> >>> On 5 February 2014 18:21, Rob Stradling <rob.stradling@comodo.com>
> wrote:
> >>>>
> >>>> On 05/02/14 17:49, Adam Langley wrote:
> >>>>>
> >>>>>
> >>>>> On Wed, Feb 5, 2014 at 12:26 PM, Rob Stradling
> >>>>> <rob.stradling@comodo.com>
> >>>>> wrote:
> >>>>>>
> >>>>>>
> >>>>>> Presumably it's somewhere between 10 and 31 days, since 1 SCT is
> >>>>>> acceptable
> >>>>>> for Stapled OCSP and the BRs permit OCSP Responses to be valid for
> up
> >>>>>> to
> >>>>>> 10
> >>>>>> days.
> >>>>>
> >>>>>
> >>>>>
> >>>>> The speed at which we need to distrust a log depends on the minimum
> >>>>> number of SCTs actually, which is why allowing a single SCT in
> stapled
> >>>>> OCSP responses is such a large concession. If the minimum number of
> >>>>> SCTs were two then the pressure to distrust a log (and the pressure
> on
> >>>>> the logs) would be dramatically reduced because compromising one log
> >>>>> wouldn't be sufficient.
> >>>>>
> >>>>>> Do you still think [1] is a good plan?
> >>>>>
> >>>>>
> >>>>>
> >>>>> Sure, if any CAs are willing to do it now :)
> >>>>
> >>>>
> >>>>
> >>>> I think "servers could just download their refreshed certificate over
> >>>> HTTP
> >>>> periodically and automatically" is the showstopper at the moment. Yes
> >>>> they
> >>>> could, but I'm not aware of any server that actually implements such a
> >>>> feature.
> >>>
> >>>
> >>> Work is under way for Apache: https://github.com/trawick/ct-httpd/.
> >>
> >>
> >> That looks like great work, but AFAICT it's only for fetching SCTs from
> CT
> >> Logs.
> >>
> >> I was talking about the lack of any mechanism in popular webserver
> software
> >> for automatically fetching and installing certificates from CAs.  In
> >> particular: a short-duration certificate that reuses the same public
> key as
> >> the previous certificate.
> >
> > Ah, I see! But why would you need it if you can refresh the SCTs
> yourself?
>
> To fix certificate revocation checking, by avoiding the need for it (as
> Adam proposed a couple of years ago - see [1]).
>
> But really, I was just trying to point out that just because CAs aren't
> noticeably issuing short-duration certs today, it doesn't mean that they
> won't do so in the future.  So I think it is worth permitting just 1
> embedded SCT for short-duration certs (for some value of "short").
>
>
> [1] https://www.imperialviolet.org/2011/03/18/revocation.html
> "A much better solution would be for certificates to only be valid for a
> few days and to forget about revocation altogether. This doesn't mean
> that the private key needs to change every few days, just the
> certificate. And the certificate is public data, so servers could just
> download their refreshed certificate over HTTP periodically and
> automatically (like OCSP stapling). Clients wouldn't have to perform
> revocation checks (which are very complex and slow), CAs wouldn't have
> to pay for massive, DDoS proof serving capacity and revocation would
> actually work. If the CA went down for six hours, nobody cares. Only if
> the CA is down for days is there a problem. If you want to “revoke” a
> certificate, just stop renewing it."
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
>
> _______________________________________________
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>

v2.23.0 | Report a Bug | By Email