Re: [TLS] ETSI releases standards for enterprise security and data centre management

Kurt Roeckx <kurt@roeckx.be> Sun, 09 December 2018 17:35 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E150130DD7 for <tls@ietfa.amsl.com>; Sun, 9 Dec 2018 09:35:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N8GLxXotq37d for <tls@ietfa.amsl.com>; Sun, 9 Dec 2018 09:35:24 -0800 (PST)
Received: from excelsior.roeckx.be (excelsior.roeckx.be [195.234.45.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 615E4130E02 for <tls@ietf.org>; Sun, 9 Dec 2018 09:35:24 -0800 (PST)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by excelsior.roeckx.be (Postfix) with ESMTP id E4FF2A8A19CC; Sun, 9 Dec 2018 17:35:21 +0000 (UTC)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 73AB51FE0A9A; Sun, 9 Dec 2018 18:35:21 +0100 (CET)
Date: Sun, 9 Dec 2018 18:35:20 +0100
From: Kurt Roeckx <kurt@roeckx.be>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Christian Huitema <huitema@huitema.net>, tls@ietf.org
Message-ID: <20181209173520.GA4007@roeckx.be>
References: <CADqLbzKd-AgDRv2suZ-0Nz4jNUqKg0RNT8sgQd-n793t+gEN3g@mail.gmail.com> <CAHOTMVKZT1ScvHeP3=Kv2zodVimHkaAtG-2DTq6ojnF+q-OMSQ@mail.gmail.com> <CADqLbzL16cnm-WQXj4bh9awOp6Qqnu21cQd3T9XxpVhHse8yoQ@mail.gmail.com> <CAHOTMV+ppxTmNaBdTOEkXzX_LWWcE=RMu4sxN3CsHTEga_8M2Q@mail.gmail.com> <7de09a4c-4ba9-d4ac-3371-89af3294f424@huitema.net> <87in08lipp.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87in08lipp.fsf@fifthhorseman.net>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vIpJARo1jhM4lY4gYyqJrmAUQpw>
Subject: Re: [TLS] ETSI releases standards for enterprise security and data centre management
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2018 17:35:34 -0000

On Wed, Dec 05, 2018 at 07:07:30AM +0300, Daniel Kahn Gillmor wrote:
> One mitigating factor of the ETSI standard, i suppose, is that the
> CABForum's Baseline Requirements forbid issuance of a certificate with
> any subjectAltName other than dNSName or iPAddress, so otherName looks
> like it must not be issued by standard public CAs.
> 
> top of p. 44 of https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.1.pdf
> 
> Has anyone set up tools to monitor the CT logs for such a sAN to see
> whether that element of the BR is being honored?

All the linters will give an error about that, see for instance:
https://crt.sh/?id=1009623020&opt=x509lint,cablint,zlint


Kurt