IETF Logo Mail Archive

Re: [Trans] draft-ietf-trans-rfc6962-bis-31

Paul Wouters <paul@nohats.ca> Wed, 26 June 2019 04:42 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5378512017F for <trans@ietfa.amsl.com>; Tue, 25 Jun 2019 21:42:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NXh5gTKKg3-a for <trans@ietfa.amsl.com>; Tue, 25 Jun 2019 21:42:31 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEC8F1200DF for <trans@ietf.org>; Tue, 25 Jun 2019 21:42:30 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 45YVkY0zZlz3J8; Wed, 26 Jun 2019 06:42:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1561524149; bh=27zzEH7JsBUXD4FmTf5OeDCekQYX0suyTHeKowbE9Iw=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=R2OV0KPJ/tvVOABmGmr5KFfb/WfDoOZHU72lsAffGERpqH0ctAGLkXqTEC4++3Ui4 mSLtjMjLZnQDHVDUjb7p3Ep4FXQBiISQVzF+YaQ9J94a197B+JizGyEmSiTcFU4cPo TsiEpf7LqYo0PmZ3n/lE2NZRvUd56i3U1mTpBlnY=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id OuHZYJ0Z6Z60; Wed, 26 Jun 2019 06:42:27 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 26 Jun 2019 06:42:26 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 513103547F5; Wed, 26 Jun 2019 00:42:25 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 513103547F5
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 465CA40D35BF; Wed, 26 Jun 2019 00:42:25 -0400 (EDT)
Date: Wed, 26 Jun 2019 00:42:25 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Rashmi Jha <rashmij=40microsoft.com@dmarc.ietf.org>
cc: Eran Messeri <eranm=40google.com@dmarc.ietf.org>, "trans@ietf.org" <trans@ietf.org>
In-Reply-To: <MWHPR21MB084622793C06701F9A7CCD8CA7E20@MWHPR21MB0846.namprd21.prod.outlook.com>
Message-ID: <alpine.LRH.2.21.1906260032010.14406@bofh.nohats.ca>
References: <MWHPR21MB0846D2C92633AE28A7B012EAA7E50@MWHPR21MB0846.namprd21.prod.outlook.com> <alpine.LRH.2.21.1906191936520.28894@bofh.nohats.ca> <CALzYgEefnThirThr=LwvD-T=L_b1nmNSGG90kxffwb9rc8ry=g@mail.gmail.com> <MWHPR21MB084622793C06701F9A7CCD8CA7E20@MWHPR21MB0846.namprd21.prod.outlook.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/0f9rtYqGyIU1JZKWjeE0VEsQFuQ>
Subject: Re: [Trans] draft-ietf-trans-rfc6962-bis-31
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 04:42:34 -0000

On Wed, 26 Jun 2019, Rashmi Jha wrote:

[speaking as an individual only]

> Name constraints itself if orthogonal to CT but both of these achieve the same goal.  Restrict a CA to issue certs for the domains they are suppose to. The difference is following :
>
>  *  In CT, you log the cert into CT logs at the time of issuance of each cert  
>  *  Name constrained is upfront where CA declares that I am going to issue certs only for ford.com, jaguar.com (hypothetically) and that’s it.  

Sure, but having a CA per TLD or even per group of SLD's would explode
the number of CAs required. And if these all need to comply to the
CAB/Forum rules, that's a lot of auditing.

> Named constraints CA shouldn’t need to log each time when a cert is issued.  Because the verification and monitor of whether the CA has complied with the goal is done offline or a different time in both the
> scenarios.

How would you detect a mis-issuance within the named constraint without CT?

> The draft doesn’t address what should be an alternative for folks who don’t want CT

It could mention DNSSEC and DANE (TLSA), but I don't think it is
neccessary in this document.

>  *  CT adds burden for each certificate issuance. It adds ~7seconds to every cert issuance and it adds a new failure endpoint in the path.

I don't think it adds latency if you regularly fetch the latest tree head?

>  *  CT has 0 alternatives.


DNSSEC with DANE/TLSA is an alternative.

> There is no mechanism for redaction.

[chair hat on ]

Redaction has been brought up a number of times, but has not seen enough
work done for it to be added in this document. Later on, it was suggested
redaction should be done as a separate document.

[/chair hat]

> CT drives an important industry-wide goal. There are other ways to achieve the same goal. And for organizations where each millisecond matters, the user agent should support an alternative rather than add
> load and failure point at their critical path of issuance.  Named constraints is within the books of PKI.  A CA can be held accountable like any other CA/Browser baseline requirements that if they issue
> certs outside of their constraints then they should take immediate action or get distrusted. It won’t be any different from a CA doing a wrong thing and got caught via CT monitors.

The draft only talks about the protocol. Whether or not to allow or
require it, in the presence or absence of CT, is up the the browser
vendors. So my question to you would be, if name constraints are to
be considered for this draft, would it require a document change?

> This draft should prescribe an alternative to achieve the same goal which is achieved by CT and the details on that alternative can be covered somewhere else.

I'm confused that you say there are no alternatives and that
alternatives should be mentioned in the document?

Paul

> From: Eran Messeri <eranm=40google.com@dmarc.ietf.org>
> Sent: Thursday, June 20, 2019 3:10 AM
> To: Paul Wouters <paul@nohats.ca>
> Cc: Rashmi Jha <rashmij@microsoft.com>om>; trans@ietf.org
> Subject: Re: [Trans] draft-ietf-trans-rfc6962-bis-31
> 
>  
> 
> Paul made the point quite accurately - CT is orthogonal to name-constraining a CA, and can be used to validate the CA has adhered to the constrained names.
> 
>  
> 
> Additionally, there's no way to signal to a user agent that  such a CA would be "exempt" from CT (some user agents have Enterprise controls to allow instances managed by the organization to not require CT
> for certain domains, though).
> 
>  
> 
> On Thu, Jun 20, 2019 at 12:44 AM Paul Wouters <paul@nohats.ca> wrote:
>
>       On Wed, 19 Jun 2019, Rashmi Jha wrote:
>
>       > Have you looked into the options of not requiring CT for CAs which are constrained to a brief list of domains ? I understand this was considered in the past but couldn’t find details why this
>       was not
>       > accepted.
>
>       Whether or not to require CT is not part of the document. This seems
>       more like a question to browser vendors. The draft only states:
> 
>
>           In addition, if TLS clients will not accept unlogged certificates,
>           then site owners will have a greater incentive to submit certificates
>           to logs, possibly with the assistance of their CA, increasing the
>           overall transparency of the system.
>
>       The "if" there is important. It is not a decision made in this document
>       or this Working Group.
>
>       The draft only lists the requirements and formats for when CT is used.
>
>       > Named constraint by default provide the assurance as to what domains they will issue. CT becomes an additional network call in in issuance of certificate which can be prevented.  
>
>       Not "assurance", but "expectation". CT is there to confirm this
>       expectation. Surely, you want CT logs to show captured certificates that
>       were signed by a CA outside of that CA's own Named constraint policy?
>
>       Additionally, if you skip accepting certificates within a named
>       constraint, what do you do when some CA claims ".com" as their
>       named constraint?
>
>       Paul
>
>       _______________________________________________
>       Trans mailing list
>       Trans@ietf.org
>       https://www.ietf.org/mailman/listinfo/trans
> 
> 
>

v2.8.7 | Report a Bug | By Email