IETF Logo Mail Archive

Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15

Tim Hollebeek <tim.hollebeek@digicert.com> Fri, 28 September 2018 20:39 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56499130E68 for <trans@ietfa.amsl.com>; Fri, 28 Sep 2018 13:39:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.456
X-Spam-Level:
X-Spam-Status: No, score=-2.456 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.456, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AR1WkyJcOWB1 for <trans@ietfa.amsl.com>; Fri, 28 Sep 2018 13:39:33 -0700 (PDT)
Received: from mail1.bemta23.messagelabs.com (mail1.bemta23.messagelabs.com [67.219.246.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F324D127B92 for <trans@ietf.org>; Fri, 28 Sep 2018 13:39:32 -0700 (PDT)
Received: from [67.219.246.196] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-4.bemta.az-c.us-east-1.aws.symcld.net id 3A/7A-14566-3819EAB5; Fri, 28 Sep 2018 20:39:31 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrALsWRWlGSWpSXmKPExsVyXm9xmG7zxHX RBl9+8Vks3ziTyWLS/bmMFn2b+lks1j6+yOLA4rFz1l12jyVLfjJ5NJ05yuzRvHs3SwBLFGtm XlJ+RQJrxpfPn1kLZpdV/Dt6hKmB8UpuFyMXB4tAD7PEquUvWEAcIYEJTBKPXm9jhnDuMUq8X jCVvYuRk4NNwEDi2t7jTCC2iICaxMPpZ1hBbGaBTIn2DbuAbA4OYYEkiTmfJSBKkiUuP21ihr D9JL48vwc2hkVAVeLo36vMIOW8ArES/96EgISFBI4wSTw5rg1icwoESaw+vp0FxGYUEJP4fmo NE8QmcYlbT+aD2RICIhIPL55mg7BFJV4+/scKUR8jMffzITaQ8RICShIb+9QhSmQlLs3vZgT5 SkJgP7vE1+XToHp1JT5MncoMYftK3H5wjg2i6BKjxO7ZT9ghEloSs9cegmrIkZh5rJ8FoqiPU eLXhslQRXISq3ofQiW2MktsO9bNCpGQkfgw+S4rRGIbm0T3kpuMED+nSExZdYhtAqP2LCTvQd gLGCXudHGB2LwCghInZz5hgYhHSUz5OYsRwtaSmLr2FVRcXmL72znMs4DeZhbQlDh2WQkirC2 xbOFroDA7kG0jsSUFIqooMaX7ITuEbSbRdu4j2wJG7lWMpklFmekZJbmJmTm6hgYGuoaGRrrm uuYGeolVusl6pcW6qYnFJbqGeonlxXrFlbnJOSl6eaklmxiBaTOlgN1tB+OJpemHGCU5mJREe S+rrIsW4kvKT6nMSCzOiC8qzUktPsQow8GhJME7dQJQTrAoNT21Ii0zB5jAYdISHDxKIrzdIG ne4oLE3OLMdIjUKUZ7jne3Wmcwczya0QEk34HJtqfXZzALseTl56VKifPGg7QJgLRllObBDYV lnEuMslLCvIwMDAxCPAWpRbmZJajyrxjFORiVhHn3g0zhycwrgdv9CugsJqCzRA6sATmrJBEh JdXAuHeOgrtxlS87l49Od2kCY8b3vg8NIYqH/5yWLpE6HB/xXG79kbuzr5wNubhX89ZRF4tZr Lb7Hp33WCCrbFaoInO/JjHKwJ/fe/GjmT4xMXWR4nqz/y58uTNCa+XNHTnzrY/O1nhX4HRiu2 nD5HlyyZbmgW/9Z4Y1rOvOObfa8NG9qaGFjxaeVWIpzkg01GIuKk4EAOpJAbkzBAAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-28.tower-404.messagelabs.com!1538167171!674875!1
X-Originating-IP: [207.46.163.86]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.14.24; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 31646 invoked from network); 28 Sep 2018 20:39:31 -0000
Received: from mail-bl2nam02lp0086.outbound.protection.outlook.com (HELO NAM02-BL2-obe.outbound.protection.outlook.com) (207.46.163.86) by server-28.tower-404.messagelabs.com with AES256-SHA256 encrypted SMTP; 28 Sep 2018 20:39:31 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+pQxmPjcUM/Fbyu+/V32jfvDNvIIeApcQI70oRipDKQ=; b=nAkg24/F9azZFdhaVB7yQqoy3PTJUohmY8KSY+i8l2L0HDTZxqmOH8C1oAddcsHWN4YRH1ivuec9lwyVOp/hNu2mJU316vJEhESg0ENoDxWFS602yvEnj6ibwF7QzsWsuhVMy5v/UITf6BNNh8EjuDAOmqsu1oKxKdoe7WudKU8=
Received: from DM5PR14MB1116.namprd14.prod.outlook.com (10.173.131.10) by DM5PR14MB1258.namprd14.prod.outlook.com (10.173.132.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1143.18; Fri, 28 Sep 2018 20:39:29 +0000
Received: from DM5PR14MB1116.namprd14.prod.outlook.com ([fe80::d5d:fdb6:1213:cd40]) by DM5PR14MB1116.namprd14.prod.outlook.com ([fe80::d5d:fdb6:1213:cd40%10]) with mapi id 15.20.1143.022; Fri, 28 Sep 2018 20:39:28 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Ben Kaduk <kaduk@mit.edu>, Trans <trans@ietf.org>, "stephentkent@gmail.com" <stephentkent@gmail.com>
Thread-Topic: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15
Thread-Index: AQHUVP+AQdWudXO7BES5ITS/YkIlLKUBeQCAgAODE4CAAMsFcIAAGLeAgAAETbA=
Date: Fri, 28 Sep 2018 20:39:28 +0000
Message-ID: <DM5PR14MB1116115863D4B3811701170183EC0@DM5PR14MB1116.namprd14.prod.outlook.com>
References: <071bd596-07ec-fe8a-861c-3ef181fec848@gmail.com> <CAErg=HEschK1K9UwS79uOPjgeCxVy4cEDHzhCQxpJrc3LxqNDQ@mail.gmail.com> <20180928022909.GG24695@kduck.kaduk.org> <DM5PR14MB1116A7D338E1C53ADDEBFB3583EC0@DM5PR14MB1116.namprd14.prod.outlook.com> <CAErg=HGs14ZtTTUUmorRboZzJshxF5J_+XZ07-zExfXvY=Y2+w@mail.gmail.com>
In-Reply-To: <CAErg=HGs14ZtTTUUmorRboZzJshxF5J_+XZ07-zExfXvY=Y2+w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [108.39.138.247]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1258; 6:VYTh+mX2mtIKrJCFmNmqPmKOea4CCJ0c4QXJci00fIQW5RFhm7ueFtw1w03FG/pjsy6yfzoQp8wasjP71H5wHWtyClWMOCaFVk4SfXt3Iebbs04zxECSYGCx+YS5BCRclLW6s6i2hUCzAwVkYaHoJzPnJI9S+bf2KL7inJ69le/m4G1Jlp01WwCOyFt06Bqh1mE+F8Wl8zmgGMr78loglsAkk74wrKyGXxxu1ZUCNQ2eKJhBuwfcYYCc0A8kf10ZXf3BEQSoeupZ+UW3294+ShE8VANVHeuXzQ8Sw9klosyMAE6vv+krRbC3tKcuniJ82c1rFP4fCyvqa1DrnNpHeYD3AXZWbJ6s4/avc0HHTPZIc7pBIoLnpc+AjpwsD216fv6Q2Doleb4enbva/nf//qUczF/gA61XCn6vLdan1RsfS5h/DNBtjPE2WTMB1QsNwoIJYCnAQv1B9QSxt3QSUw==; 5:9ooWsAZghJdnd+/cC8nlEPxOnSTD2ZmwLzTThbwyf/2KAB5cRAKLjMvc5dt2IxpcI1Lidqgcacqb1jUAXizbuoJ0sZh4+P4cdxS2QRAeH95K/0/uyv/oBjNvCfZgSG20CurNiYKonPrF0Eu0bHY/ZGhQGr4+TVWPDoqaQrOGnlY=; 7:LydU3hAUESy7IFrGl/kEk+uJ9nJDmFMyVIde0DDc9rI98oRlRXMHhD2q1TDeSU+MkGu3klxWIkpGp6a7gD5gCtkeaeOE1qEfa084WyrTQJW48Inf8bLj+MRzcUMIrbTh63f9IAeXAx7gyG+IOTP4RujfIobwrIIctLQFRd+pEwfyTk2oL64IcIqEDSZyIPAOGmpQzE+kbwkOtRl/Nxf4BFrT4/MtcAmGxGY/ZaC54MCQOKyzHCH1mJwPx5oaQm8C
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: e09b54fe-5ab2-4324-a9db-08d625827cc4
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534165)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:DM5PR14MB1258;
x-ms-traffictypediagnostic: DM5PR14MB1258:
x-microsoft-antispam-prvs: <DM5PR14MB1258F6D9C994F8DDFD066E2A83EC0@DM5PR14MB1258.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(240460790083961)(85827821059158)(21748063052155)(28532068793085)(190501279198761)(227612066756510);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(3231355)(944501410)(52105095)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(201708071742011)(7699051); SRVR:DM5PR14MB1258; BCL:0; PCL:0; RULEID:; SRVR:DM5PR14MB1258;
x-forefront-prvs: 0809C12563
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(346002)(39860400002)(366004)(396003)(376002)(189003)(199004)(81156014)(54896002)(256004)(44832011)(55016002)(9686003)(486006)(7696005)(33656002)(25786009)(476003)(6306002)(478600001)(39060400002)(6246003)(53546011)(71190400001)(5250100002)(236005)(45080400002)(3846002)(6916009)(6116002)(97736004)(8676002)(53936002)(4326008)(6436002)(71200400001)(68736007)(790700001)(229853002)(93886005)(99936001)(86362001)(105586002)(446003)(2900100001)(11346002)(7736002)(102836004)(186003)(8936002)(2906002)(54906003)(316002)(81166006)(99286004)(26005)(106356001)(6506007)(76176011)(74316002)(66066001)(14454004)(5660300001)(34290500001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1258; H:DM5PR14MB1116.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: tk0S6WgPD4B9AdLtI1xK4a/paTPQqQMeV+oxG2kGuUOHp2OBqT3JvxQFJfULKgK6FVPyFhVuXb2MG3ajpFxhj/iwl2pTLkFEhRJxMv1U+6I4BaqGa7EyYPaX2umjkq6RI5eNqjeku8YamLS3ECWAhOFPP1UXohPobdLhYnAoH+16lE1MhiBvqhzjFPbudsKS+6a5S1XJ9bDJC93iawn+LSiYbIQBI5xPVp3NGPkvj07eQMkMuEa1i4pisGxzFMFWX73NSMDvEZM+82qE5b+zc/hz+sNbcP+VkDSneuk7tn2RIheEcowxtTUHEnnTaPFQEOiEqyE+oW/DknTwEzJLReMTxsOYujWSbxT0fVpJt7U=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_00FE_01D4570C.76953120"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e09b54fe-5ab2-4324-a9db-08d625827cc4
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Sep 2018 20:39:28.7462 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1258
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/MdzwcPG1iy-VCKtdCZsQeNkrWYs>
Subject: Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2018 20:39:37 -0000

My comment is correct for the situation as it largely exists today.



That it might be different in the future is a fair point.



-Tim



From: Ryan Sleevi <ryan-ietf@sleevi.com>
Sent: Friday, September 28, 2018 9:04 AM
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Ben Kaduk <kaduk@mit.edu>; Ryan Sleevi <ryan-ietf@sleevi.com>; Trans 
<trans@ietf.org>; stephentkent@gmail.com
Subject: Re: [Trans] responses to Ryan's detailed comments on 
draft-ietf-trans-threat-analysis-15





On Fri, Sep 28, 2018 at 10:37 AM Tim Hollebeek <tim.hollebeek@digicert.com 
<mailto:tim.hollebeek@digicert.com> > wrote:


> For what it's worth, I do not read 6962-bis as "very much being focused"
on
> CA-based logging.  Consider, for example, certificate subjects submitting
> certificates to logs, something that is done without CA involvement and
can be
> done in response to (e.g.) Logs being distrusted or browsers increasing
the
> required number of SCTs.  It's unclear that CAs have as much incentive as
> subjects to be responsive to changing events in this way.

SCTs have to be included in the certificate so logging by third parties does
not help with that problem.



This is not correct. Conforming clients MUST support all three methods of 
delivery of SCTs. No policy or statement in 6962-bis requires that SCTs "have 
to be included in the certificate". Perhaps you're conflating the requirement 
with SCTs for precertificates, which has been substantially overhauled in 
6962-bis in light of the concerns around precertificates?



I'm not sure where this view that the dominant form is or should be CA 
initiated logging, or that the intent of 6962-bis is to only countenance that 
scenario. Over the past 28 days, 46% of the SCTs Chrome has observed have come 
from the TLS extension, and 53% of them embedded within certificates. 0.01% 
have come from OCSP responses. This latter number is no doubt driven by at 
least three CAs who have a largely homogenous user base (of government and 
public sector users) running on Microsoft-based services, that they were 
confident enough that they only needed to support OCSP embedding for their 
subscribers.



Any threat model design needs to consider 6962-bis as specified, which is to 
consider that these different approaches are all equally valid.

v2.23.0 | Report a Bug | By Email