Re: [therightkey] Other solutions to the problem
Ben Laurie <benl@google.com> Thu, 01 November 2012 11:26 UTC
Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5BA421F84AE for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 04:26:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.675
X-Spam-Level:
X-Spam-Status: No, score=-102.675 tagged_above=-999 required=5 tests=[AWL=0.302, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hJRSQeHTqV44 for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 04:26:38 -0700 (PDT)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by ietfa.amsl.com (Postfix) with ESMTP id 67D9B21F8449 for <therightkey@ietf.org>; Thu, 1 Nov 2012 04:26:38 -0700 (PDT)
Received: by mail-wi0-f172.google.com with SMTP id hq12so205582wib.13 for <therightkey@ietf.org>; Thu, 01 Nov 2012 04:26:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record; bh=KZsvCxZ7Pypdyj6mo4viX2ycRaEaC+y4FfQ/G/wL1kY=; b=EZ5C6q/MWt16cZ+ULjymFw42tbMD4X1Q4qZs5Mk4QdpuLoGhfpkdAL5tTwJg/puUVE 8xZig1blcuAcHT9LAAj4ZyFNPnnjqtN/zlE+HGxF6lhaBOy9E4QVjUz3cAutqeD/DOH4 akyWy/qSJKaDgNB1zX7Ph2i///HUUH5UbDeS17odDAVhtSbtOG89YFonm4ThSmqgsyyB W1WHI7TAg8oz/OvMR+CxnpX1xjemZgeEea1SQBhF4zPTlmm0CUyQhyeYIHpWYsurunsU Th1AAhMLFmOUpdSJiTl2AD1VtekuFx0sfx1iMn4k36Nvq2fGUjwy4FAspihPPtOC4fNx idjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record:x-gm-message-state; bh=KZsvCxZ7Pypdyj6mo4viX2ycRaEaC+y4FfQ/G/wL1kY=; b=bDkZQ/NWsuHwkJLKhfuzxGAMU6mDNWVYmwCAIVOxyeh6tvTjwAZj5cIhCzCBAUZOeG fhGWYveKIMCd1omgOtF8OfGakpqKU1UlTXj4Tb9OWJYt0YrHBkpGamYlX3CyY7lVYR6B LE5kAvQxJ8RponQFWsjIcHC2eDKRgkgLUwFHHqsndr+LGwMMDH5hBjzjUfJO9l5kqwuC XXNdzFayXBLZQHBpCijvH6rhlYVdAGBGl+V+Z9rtBOvyiv0SFfFWvqrM5PyZ2N/TvxgT VOXwln4FsMCZbxMRtEhmCjAGycOW+7+XVIaA/XshDDRLZmYCZWXRr0PXHxpEUQMUVMkJ r11A==
MIME-Version: 1.0
Received: by 10.180.100.101 with SMTP id ex5mr1396239wib.16.1351769197067; Thu, 01 Nov 2012 04:26:37 -0700 (PDT)
Received: by 10.194.76.170 with HTTP; Thu, 1 Nov 2012 04:26:36 -0700 (PDT)
In-Reply-To: <CAMm+LwgyBLm+dUV5CwisaYyws21y2ghTBa98FGW9dBpaaaeAyg@mail.gmail.com>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <70E51AD3-D937-416E-8F3C-60B6156190DC@vpnc.org> <CAMm+LwgSrwBO=cD5zQ5G1PG0YyC7gvG7cWGqhL1KhPectG6Y+w@mail.gmail.com> <DDDF8726-F491-46AB-9A4A-AFB99006A393@vpnc.org> <42F98BCB-17F8-427E-8E9D-33A04978A339@vpnc.org> <CAMm+LwihwHFYcAkJvjRe7Js9AJkS8s6ZooxJnE526UOsWHGCuw@mail.gmail.com> <A09B4DFF-936C-488C-9915-B5F9A579FA1F@vpnc.org> <CABrd9STFeAxxmFDCZMkREXyEcKbeeQbF8ZeESXcoKPnkckdZwQ@mail.gmail.com> <CAMm+Lwg6EoSy-p7US0uZtKjxGHF39iH-0mvxg-hJ+AqK4vXL-A@mail.gmail.com> <CABrd9SRa9Ye9gkjpaQ+PqQyay9NKJB__dkDwOBwPHvw16dkTRg@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D3FBAE8@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAOuvq22PMSq2sAmUBfJcWu6LhEdCA3jKteu38m4UuHbykp7xZw@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D5FC685@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <6DD8CB4F-1233-403D-A27E-F3F80310390F@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D5FC79B@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <508A48C5.9070005@comodo.com> <CABrd9SR4y5nRm-AP6t5_HzUO+CROwh+KnVn48_9hMTFQ4A93=Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com> <CAMm+LwgyBLm+dUV5CwisaYyws21y2ghTBa98FGW9dBpaaaeAyg@mail.gmail.com>
Date: Thu, 01 Nov 2012 11:26:36 +0000
Message-ID: <CABrd9SSpR+kypFH6rWPPkrYb7eU2Gf71k6mt5S+z3X0-GmVVnA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQlgz0wEhRXyKEAk5Hj5xRwCDd1n/z4GPUD4+g+xtkGnk8Bc1JMT6owbAxJIz3ySzHuQCciZp9wSQmR0Wyh4x3M2LVMW2w5mjWYhVXNUA68PVb20fdpvgqYQubTj2HBHbAmKss12JVaj3DMVAMmgwf9BRfhsse223RuRtkzlicLh9myCONyXih0VdYi4wmJA7+yzbiyu
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, Rob Stradling <rob.stradling@comodo.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Rick Andrews <Rick_Andrews@symantec.com>
Subject: Re: [therightkey] Other solutions to the problem
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 11:26:39 -0000
On 1 November 2012 11:22, Phillip Hallam-Baker <hallam@gmail.com> wrote: > Zero net admin steps is probably a necessary criteria. What you think not > hard might as well be rocket science to most. Maybe, but the rocket science involved in getting a cert in the first place is far worse. > > > On Thu, Nov 1, 2012 at 5:10 AM, Ben Laurie <benl@google.com> wrote: >> >> On 31 October 2012 23:57, Rick Andrews <Rick_Andrews@symantec.com> wrote: >> >> -----Original Message----- >> >> From: Ben Laurie [mailto:benl@google.com] >> >> Sent: Monday, October 29, 2012 3:10 AM >> >> To: Rick Andrews >> >> Cc: Rob Stradling; therightkey@ietf.org; Paul Hoffman >> >> Subject: Re: [therightkey] Other solutions to the problem >> >> >> >> On 26 October 2012 22:31, Rick Andrews <Rick_Andrews@symantec.com> >> >> wrote: >> >> >> -----Original Message----- >> >> >> From: Ben Laurie [mailto:benl@google.com] >> >> >> Sent: Friday, October 26, 2012 1:51 AM >> >> >> To: Rob Stradling >> >> >> Cc: Rick Andrews; therightkey@ietf.org; Paul Hoffman >> >> >> Subject: Re: [therightkey] Other solutions to the problem >> >> >> >> >> >> On 26 October 2012 09:24, Rob Stradling <rob.stradling@comodo.com> >> >> >> wrote: >> >> >> > On 26/10/12 00:58, Rick Andrews wrote: >> >> >> > <snip> >> >> >> > >> >> >> >> AFAICT, for CT to really work it will require participation from >> >> >> every CA >> >> >> >> whose roots are in browsers. I think you're underestimating how >> >> hard >> >> >> it will >> >> >> >> be to achieve that. >> >> >> > >> >> >> > >> >> >> > Rick, >> >> >> > >> >> >> > Ultimately, assuming the RFC5878 TLS extension gains widespread >> >> >> support in >> >> >> > server and client software, CT won't _require_ participation from >> >> any >> >> >> CA. >> >> >> > Each certificate holder will be able to configure their server to >> >> >> send their >> >> >> > certificate's CT proof to each client. >> >> > >> >> > I see, so the certificate holder can submit their newly-minted >> >> certificate to a log server to get a CT proof. Instead of requiring the >> >> participation of every CA, you now require the participation of every >> >> certificate holder. >> >> >> >> No, it is an option. >> > >> > I understand that. I was trying to point out that for CT to be >> > effective, you either need all CAs to participate, or for every CA that >> > doesn't participate, their customers who want protection have to participate >> > directly. I feel that's a pretty high bar to surmount. >> >> Its only software. The process of participating in CT for a server >> operator is: >> >> 1. Run command line tool once, giving it your certificate as input and >> an SCT file as output. >> >> 2. Add one line of configuration to your server config. >> >> Not exactly rocket science. If people _really_ find it hard, we could >> build it into the servers so there was no manual step at all. >> >> >> >You might say that not every certificate holder will need or want CT, >> >> but I would guess that the number that would want the protection would >> >> be far greater than the number of CAs. >> >> >> >> Given that the plan is browsers will refuse non-CTed certs, I imagine >> >> most holder of certificates used by the public will want CT. >> > >> > Do you have agreements with the major browser vendors to do this? It's >> > possible that not all of them will be on board. >> >> In practice, only one major browser needs to participate to give herd >> immunity. Obviously it would be nice if they all did, but it is not an >> urgent problem. >> >> >> >> > But with participation from the CAs, it should be possible to >> >> realize >> >> >> the CT >> >> >> > dream far sooner. And (even in a future world where RFC5878 is >> >> >> supported >> >> >> > everywhere) if the CA takes care of CT proof distribution, then >> >> that >> >> >> makes >> >> >> > life easier for the certificate holder. >> >> >> > >> >> >> > >> >> >> >> Further, no one has yet brought up the privacy issue. CAs sell a >> >> lot >> >> >> of >> >> >> >> certificates to companies for their internal use. Some of them >> >> may >> >> >> object to >> >> >> >> publishing all their internal domain names. >> >> >> > >> >> >> > >> >> >> > This has been a concern for Comodo too, so I spoke to AGL about it >> >> a >> >> >> few >> >> >> > weeks ago. AIUI, the plan is that CT clients will have a user- >> >> >> configurable >> >> >> > whitelist (empty by default) of domain names for which CT proofs >> >> will >> >> >> not be >> >> >> > required. Participating CAs should allow customers to opt-out >> >> from >> >> >> having >> >> >> > their certs automatically logged with CT. >> >> > >> >> > I believe in your plan each browser will be a CT client. Aside from >> >> the fact that the white list is an attractive target for hackers, I >> >> don't see how the average user is going to know how to configure this >> >> white list. I'm reminded of Adam's arguments against Convergence >> >> (http://www.imperialviolet.org/2011/09/07/convergence.html). >> >> >> >> This is why I think the best solution is to issue private certs >> >> through a name constrained intermediate which is logged. >> > >> > I agree. >> >> I'm glad we agree on something! >> _______________________________________________ >> therightkey mailing list >> therightkey@ietf.org >> https://www.ietf.org/mailman/listinfo/therightkey > > > > > -- > Website: http://hallambaker.com/ >
- [therightkey] Certrans BoF planning Paul Hoffman
- [therightkey] Call for agenda items for certrans … Paul Hoffman
- Re: [therightkey] Call for agenda items for certr… Phillip Hallam-Baker
- Re: [therightkey] Call for agenda items for certr… Paul Hoffman
- Re: [therightkey] Call for agenda items for certr… Paul Hoffman
- Re: [therightkey] Call for agenda items for certr… Phillip Hallam-Baker
- [therightkey] Impact on issue processes Paul Hoffman
- Re: [therightkey] Impact on issue processes Ben Laurie
- Re: [therightkey] Impact on issue processes Phillip Hallam-Baker
- Re: [therightkey] Impact on issue processes Rob Stradling
- Re: [therightkey] Impact on issue processes Ben Laurie
- Re: [therightkey] Impact on issue processes Ben Laurie
- Re: [therightkey] Impact on issue processes Phillip Hallam-Baker
- Re: [therightkey] Impact on issue processes Erwann Abalea
- Re: [therightkey] Impact on issue processes Rick Andrews
- Re: [therightkey] Impact on issue processes Chris Palmer
- Re: [therightkey] Impact on issue processes Ben Laurie
- Re: [therightkey] Impact on issue processes Paul Hoffman
- Re: [therightkey] Impact on issue processes Phillip Hallam-Baker
- Re: [therightkey] Impact on issue processes Paul Hoffman
- Re: [therightkey] Impact on issue processes Rob Stradling
- Re: [therightkey] Impact on issue processes Paul Hoffman
- Re: [therightkey] Impact on issue processes Rick Andrews
- [therightkey] Other solutions to the problem Paul Hoffman
- Re: [therightkey] Impact on issue processes Chris Palmer
- Re: [therightkey] Other solutions to the problem Rick Andrews
- Re: [therightkey] Other solutions to the problem Chris Palmer
- Re: [therightkey] Other solutions to the problem Yoav Nir
- Re: [therightkey] Other solutions to the problem Rob Stradling
- Re: [therightkey] Other solutions to the problem Ben Laurie
- Re: [therightkey] Impact on issue processes Ben Laurie
- Re: [therightkey] Call for agenda items for certr… Ben Laurie
- Re: [therightkey] Other solutions to the problem Rick Andrews
- Re: [therightkey] Other solutions to the problem Leif Johansson
- Re: [therightkey] Other solutions to the problem Ben Laurie
- Re: [therightkey] Other solutions to the problem Ben Laurie
- Re: [therightkey] Other solutions to the problem Rick Andrews
- Re: [therightkey] Other solutions to the problem Stephen Farrell
- Re: [therightkey] Other solutions to the problem Ben Laurie
- Re: [therightkey] Other solutions to the problem Phillip Hallam-Baker
- Re: [therightkey] Other solutions to the problem Ben Laurie
- [therightkey] Barely-capable CAs Paul Hoffman
- Re: [therightkey] Barely-capable CAs Phillip Hallam-Baker
- Re: [therightkey] Barely-capable CAs Lucy Lynch
- Re: [therightkey] Barely-capable CAs Paul Hoffman
- Re: [therightkey] Barely-capable CAs Rick Andrews
- Re: [therightkey] Barely-capable CAs Phillip Hallam-Baker
- Re: [therightkey] Barely-capable CAs Stephen Farrell
- Re: [therightkey] Barely-capable CAs Paul Hoffman
- Re: [therightkey] Barely-capable CAs Phillip Hallam-Baker
- Re: [therightkey] Barely-capable CAs Ben Laurie
- Re: [therightkey] Barely-capable CAs Phillip Hallam-Baker
- Re: [therightkey] Barely-capable CAs Rob Stradling
- Re: [therightkey] Barely-capable CAs Nico Williams
- Re: [therightkey] Barely-capable CAs Ben Laurie
- Re: [therightkey] Barely-capable CAs Paul Hoffman
- Re: [therightkey] Barely-capable CAs Rob Stradling
- Re: [therightkey] Barely-capable CAs Phillip Hallam-Baker
- Re: [therightkey] Barely-capable CAs Rob Stradling
- Re: [therightkey] Barely-capable CAs Rob Stradling
- Re: [therightkey] Barely-capable CAs Paul Hoffman
- Re: [therightkey] Barely-capable CAs Rob Stradling
- Re: [therightkey] Barely-capable CAs Rob Stradling
- Re: [therightkey] Barely-capable CAs Martin Rex
- Re: [therightkey] Barely-capable CAs Jon Callas
- Re: [therightkey] Barely-capable CAs Jon Callas
- Re: [therightkey] Barely-capable CAs Phillip Hallam-Baker