Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
Carl Wallace <carl@redhoundsoftware.com> Mon, 19 November 2012 13:20 UTC
Return-Path: <carl@redhoundsoftware.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECFED21F8564 for <therightkey@ietfa.amsl.com>; Mon, 19 Nov 2012 05:20:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bvSy-XBjfEX7 for <therightkey@ietfa.amsl.com>; Mon, 19 Nov 2012 05:20:51 -0800 (PST)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id E8D6921F8598 for <therightkey@ietf.org>; Mon, 19 Nov 2012 05:20:50 -0800 (PST)
Received: by mail-vb0-f44.google.com with SMTP id fc26so5520935vbb.31 for <therightkey@ietf.org>; Mon, 19 Nov 2012 05:20:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :in-reply-to:mime-version:content-type:content-transfer-encoding :x-gm-message-state; bh=dytKEPz4Az3VpR5TIK2VRzZrMLjaq1XIxHZwCG9bgLE=; b=XE3QHoLhN+8XwslO37Nd807fHILZO47VXCMMIaEaln3X6eZCTCEM0ASBj4+elg9TpQ hVvmxLezHvQgItfPzcJY9x4V9RxgI/0c5AXVy75ADoSr9oJ5s4JfR/gkrMpZpp+28ghD P9BXY6ovw/hwmxBbpR/vJmcDZ1JB9Y7sk7gRL6eB4I9ZX42XovEbpJFYcGkJNeTFpinB UDSuVVfvzrrIA6jbn2Ox1saoQ4HGIHYmGWKTimFWwK5yFZDgCaFkXBK8poo3uoUCHK3b 0c88VrYMaYMmiK505/awPG2wEL5edu0sVuLv680WMVT3el5NWgAh9f4iLtfph9sxVCE2 TTRw==
Received: by 10.52.72.104 with SMTP id c8mr14639103vdv.20.1353331250412; Mon, 19 Nov 2012 05:20:50 -0800 (PST)
Received: from [192.168.2.3] (pool-173-79-110-220.washdc.fios.verizon.net. [173.79.110.220]) by mx.google.com with ESMTPS id g5sm5162019vez.6.2012.11.19.05.20.46 (version=SSLv3 cipher=OTHER); Mon, 19 Nov 2012 05:20:49 -0800 (PST)
User-Agent: Microsoft-MacOutlook/14.2.5.121010
Date: Mon, 19 Nov 2012 08:20:42 -0500
From: Carl Wallace <carl@redhoundsoftware.com>
To: Ben Laurie <benl@google.com>
Message-ID: <CCCF9A14.36504%carl@redhoundsoftware.com>
Thread-Topic: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
In-Reply-To: <CABrd9SQrtaKTupOhPRyuomHaEXRopCE+vw_aqaYjC-F7uEKfwA@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-Gm-Message-State: ALoCoQlsFqX8lhKW8UnUGHtO0veu/tnIzShjJfR+j1pJTIVx4+BesE4Z8YBqR0WYoNjxOjiBisff
Cc: therightkey@ietf.org, Paul Wouters <paul@nohats.ca>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2012 13:20:52 -0000
On 11/19/12 8:08 AM, "Ben Laurie" <benl@google.com> wrote: >> In any case, I have a hard time seeing why you would reject certificates >> signed by a public CA (or any other CA that is covered by the log). CA >> operators and legitimate domain owners should be interested in these and >> the signature check ought to be good enough for spam prevention unless >> things are more broken than is commonly reported. > >We would not reject them. Why do you think we would? A misunderstanding I hope. If you are saying that browsers/observers can/would submit certificates that chain through a CA covered by the log then I have no issue. If (as I had come to think) the log is fed during issuance, then I think a significant part of the potential value is lost. Part of the problem in tracking this right now is the TBD in section 3 of the draft. I'll refrain from further comment until that text is present, since that should clarify things.
- [therightkey] Defining CT-for-PKIX and CT-for-DNS… Paul Hoffman
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Shumon Huque
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Richard L. Barnes
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Hoffman
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Wouters
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Hoffman
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Wouters
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Tom Ritter
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie