[therightkey] draft-laurie-pki-sunlight-02
Chris Richardson <chris@randomnonce.org> Thu, 15 November 2012 02:09 UTC
Return-Path: <chris@randomnonce.org>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23B3A21F844A for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 18:09:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9VL1FNLThwV for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 18:09:55 -0800 (PST)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2E7F421F8448 for <therightkey@ietf.org>; Wed, 14 Nov 2012 18:09:54 -0800 (PST)
Received: by mail-bk0-f44.google.com with SMTP id w11so508316bku.31 for <therightkey@ietf.org>; Wed, 14 Nov 2012 18:09:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=/ykS42L/XfBunuuP7ON/hekCTMJXY1kMyMvOyzP3c60=; b=mMJJeHRUyEerYXUo8f2XMEvTBLHVU2HWzESfvW1Q7hXvactgcviF9mhqCz6E6ms4kS DrYnI7m6+V0VmPb9haqAagxHqXxWuscDO82JPhZKrizD0jB+/g//4n/wKw5hmR6lrax8 lzH+EjCRkDIZ1lKEhUe53NQPWnxC/MxpwPJkYqFn7oAgkqME+b1BE6p9jTa5HwsuBZPT aBv6XeAKoCmk9KbCFKV/yVlsL/5L6N1lYAZGdUmv6YJRGTi40cfJxU7d2sfkNJksYJh/ BjJNMjvVOeTiPbKaA6ikxwJsBOuj1vAXF9sURobUyOuKbxt2HEfRUk/D0TnUNKRq+GBI XzQA==
MIME-Version: 1.0
Received: by 10.204.9.139 with SMTP id l11mr7754358bkl.133.1352945393927; Wed, 14 Nov 2012 18:09:53 -0800 (PST)
Received: by 10.205.125.132 with HTTP; Wed, 14 Nov 2012 18:09:53 -0800 (PST)
X-Originating-IP: [62.220.135.129]
Date: Thu, 15 Nov 2012 02:09:53 +0000
Message-ID: <CADKevbCqyn9780qZO2CgBdVi0F26Syjf5OPmxhk68BVc6wHnew@mail.gmail.com>
From: Chris Richardson <chris@randomnonce.org>
To: therightkey@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQkriSabx5lwmZnVGYvOSR+sD3H0+mXhIXWOMdFl+x6R6w0Qrvr9tnHjuBBR1KmN+giDZxDR
Subject: [therightkey] draft-laurie-pki-sunlight-02
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 02:09:56 -0000
I have a few questions and comments on this document: A general comment: What should a log do if it receives multiple submissions of the same certificate? It MUST detect and reject duplicates? SHOULD detect? What if it receives a certificate containing an embedded SCT from itself? MUST/SHOULD/MAY reject? Section 1.1 fixes the hash algorithm as SHA-256. It makes no mention of acceptable digital signature algorithms. http://www.certificate-transparency.org/sizes indicates the thinking is ECC. Is RSA an acceptable signature algorithm? Section 2.1: Shouldn't Version be covered by the signature in a SignedCertificateTimestamp? I'd think it would be beneficial to be able to verify that the signature was intended for the same version as is claimed in the unsigned portion. Section 2.2 (minor edit): upon first read, the units of old_tree_size wasn't clear (leaf count? bytes?) The description of tree_size is explicit on the units ("number of entries"). I would appreciate it if old_tree_size had similar text. Section 2.3 (minor edit): the last bullet uses the term tree_signature, when the rest of the text uses tree_head_signature. Regards, Chris
- [therightkey] draft-laurie-pki-sunlight-02 Chris Richardson
- Re: [therightkey] draft-laurie-pki-sunlight-02 Ben Laurie