[Trans] When are non-EE certificates expected to be logged?
Eran Messeri <eranm@google.com> Wed, 23 July 2014 20:30 UTC
Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B106D1B299C for <trans@ietfa.amsl.com>; Wed, 23 Jul 2014 13:30:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3SRMpJtg5r8U for <trans@ietfa.amsl.com>; Wed, 23 Jul 2014 13:30:16 -0700 (PDT)
Received: from mail-vc0-x22b.google.com (mail-vc0-x22b.google.com [IPv6:2607:f8b0:400c:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A46D81B2910 for <trans@ietf.org>; Wed, 23 Jul 2014 13:30:16 -0700 (PDT)
Received: by mail-vc0-f171.google.com with SMTP id hq11so3204025vcb.16 for <trans@ietf.org>; Wed, 23 Jul 2014 13:30:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=+1lSmTLS4XyOcUl/4upmqNdSTIXnlQZ5zbOS+KoZN9I=; b=o4O5FpaDM6+oQNHWEw32HXEc28sPuzQQ4IWHGmS+6GNyonD0TZRB8C6prFqMR6iHnx BCVGFTTKlk5omFnFucSzgGdD/sd3NuNzSAIoPow+0Prnw/ewUOpTbg3WV1jY56jAj0L2 7VZ6ptNNgDqGuZobJybcQ5ZHGEHZeOALMkivGTpydpNsk+T0B7uKM/VAuks/iPiwJdHc ToD8QU1sLQHIKwkvXMFRC4cPEHSWuVcALsT1zjpDkVcUzmVx1zRzVLpiI+3C3JljmuUh yTnuDc8YhgTfLOjrlOBg2X75SCqUGNZcM7zSGv44TqisPq86v2T120TGvQ+kXe3M0BLX h1bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=+1lSmTLS4XyOcUl/4upmqNdSTIXnlQZ5zbOS+KoZN9I=; b=io6LgKJVccRnq1Pd0wz/2n2FDuSxkXzrgByzL3vDlZItBeI7THVBLElrN5QsIfCeAN wRycF3efJkBNAWF+CF4B0bqVhV5NE/eHWI6ZnaGhGN87Tl9voh9bosJ4TXPNUUtRPxwy pkEcR0gDnobgoZ6zpc/Sx1Ct1e5qhL65+9MOtCp2XaGGWJZ86EAccARdxuFKvPRpt7WE +k+4iZO/0nozvomIB4jmqSLUzDQU6UmQZ87lfgpQECaCPaogKBa56fdLAKP0fV09OwFY XMDg9mwxN+LnO0SgtGPyDeng7G6S6MSWV0iEzuu6/DbKrbDH3uh9Ts1vRjfM8usjirU0 aBPQ==
X-Gm-Message-State: ALoCoQmOOZAxAytBE3j4NzcjBfjNPQKJJmbQ40Rs9zeqdKMwHd0sM53T71Gz9ux8/+ntfC9SSGws
MIME-Version: 1.0
X-Received: by 10.221.69.8 with SMTP id ya8mr5837457vcb.39.1406147415740; Wed, 23 Jul 2014 13:30:15 -0700 (PDT)
Received: by 10.52.161.201 with HTTP; Wed, 23 Jul 2014 13:30:15 -0700 (PDT)
Date: Wed, 23 Jul 2014 21:30:15 +0100
Message-ID: <CALzYgEeBK90bFtyH4uBW87zRXopYpsYEGTAYODqCyC0=RXf57w@mail.gmail.com>
From: Eran Messeri <eranm@google.com>
To: "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="001a11369fa037c37504fee235c0"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/-HKvfZ9c0zwog53_311qXRmBdlk
Subject: [Trans] When are non-EE certificates expected to be logged?
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jul 2014 20:30:17 -0000
Following a discussion about correlating SCTs to certificates (ticket 23 <http://trac.tools.ietf.org/wg/trans/trac/ticket/23>): My understanding is that any intermediate CA certificate may be logged (either as a Precertificate or after issuance) *in addition* to the end-entity certificate. RFC6962 only requires TLS clients to validate SCTs for server certificates (presumably end-entity certificates), so SCTs for any intermediate is not very useful. The only case I see where an intermediate CA certificate is logged *instead* of a CA certificate is when a Name-Constrained intermediate CA cert is logged. In light of this, it seems that ticket 23 can be solved by specifying that TLS clients check all non-embedded SCTs against the end-entity certificate or the intermediate certificate with extension OID 1.3.6.1.4.1.11129.2.4.7. Eran
- [Trans] When are non-EE certificates expected to … Eran Messeri
- Re: [Trans] When are non-EE certificates expected… Stephen Kent
- Re: [Trans] When are non-EE certificates expected… Eran Messeri
- Re: [Trans] When are non-EE certificates expected… Rob Stradling
- Re: [Trans] When are non-EE certificates expected… Eran Messeri
- Re: [Trans] When are non-EE certificates expected… Rob Stradling