Re: [TLS] ETSI releases standards for enterprise security and data centre management

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 11 December 2018 11:58 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A7DA130DDE for <tls@ietfa.amsl.com>; Tue, 11 Dec 2018 03:58:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.19
X-Spam-Level:
X-Spam-Status: No, score=-4.19 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lbiY9DKiDACF for <tls@ietfa.amsl.com>; Tue, 11 Dec 2018 03:58:21 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70329130DDC for <tls@ietf.org>; Tue, 11 Dec 2018 03:58:21 -0800 (PST)
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 24861F99A; Tue, 11 Dec 2018 06:58:16 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 20505203A0; Tue, 11 Dec 2018 06:56:15 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: Christian Huitema <huitema@huitema.net>, tls@ietf.org
In-Reply-To: <20181209173520.GA4007@roeckx.be>
References: <CADqLbzKd-AgDRv2suZ-0Nz4jNUqKg0RNT8sgQd-n793t+gEN3g@mail.gmail.com> <CAHOTMVKZT1ScvHeP3=Kv2zodVimHkaAtG-2DTq6ojnF+q-OMSQ@mail.gmail.com> <CADqLbzL16cnm-WQXj4bh9awOp6Qqnu21cQd3T9XxpVhHse8yoQ@mail.gmail.com> <CAHOTMV+ppxTmNaBdTOEkXzX_LWWcE=RMu4sxN3CsHTEga_8M2Q@mail.gmail.com> <7de09a4c-4ba9-d4ac-3371-89af3294f424@huitema.net> <87in08lipp.fsf@fifthhorseman.net> <20181209173520.GA4007@roeckx.be>
Date: Tue, 11 Dec 2018 06:56:14 -0500
Message-ID: <87woogqntt.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2FX9NVf-DpW5tYZXhsIgWNdqzwo>
Subject: Re: [TLS] ETSI releases standards for enterprise security and data centre management
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2018 11:58:23 -0000

On Sun 2018-12-09 18:35:20 +0100, Kurt Roeckx wrote:
> On Wed, Dec 05, 2018 at 07:07:30AM +0300, Daniel Kahn Gillmor wrote:
>> One mitigating factor of the ETSI standard, i suppose, is that the
>> CABForum's Baseline Requirements forbid issuance of a certificate with
>> any subjectAltName other than dNSName or iPAddress, so otherName looks
>> like it must not be issued by standard public CAs.
>> 
>> top of p. 44 of https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.1.pdf
>> 
>> Has anyone set up tools to monitor the CT logs for such a sAN to see
>> whether that element of the BR is being honored?
>
> All the linters will give an error about that, see for instance:
> https://crt.sh/?id=1009623020&opt=x509lint,cablint,zlint

right, so what is to be done about that, when some of these CAs are
clearly violating the BRs?  Transparency is only as useful as the
actions we can take once violations are uncovered.  Unactionable
transparency just sounds like despair to me.  So what's the action?

          --dkg