Re: [Trans] Goals and generic mis-issuance fgramework
Stephen Kent <kent@bbn.com> Mon, 24 November 2014 14:07 UTC
Return-Path: <kent@bbn.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FE781A024E for <trans@ietfa.amsl.com>; Mon, 24 Nov 2014 06:07:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BaKDShj3UmjR for <trans@ietfa.amsl.com>; Mon, 24 Nov 2014 06:07:05 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 913D31A02BE for <trans@ietf.org>; Mon, 24 Nov 2014 06:07:05 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15]:49756 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1XsuIR-0001ur-Kx for trans@ietf.org; Mon, 24 Nov 2014 09:07:19 -0500
Message-ID: <54733B8B.8030505@bbn.com>
Date: Mon, 24 Nov 2014 09:07:07 -0500
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: trans@ietf.org
References: <5436FC38.1070201@bbn.com> <544B0DD62A64C1448B2DA253C011414607D2BA8687@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <93CB5AEA-4672-48D1-8477-DF5DE3D143CE@vigilsec.com> <544B0DD62A64C1448B2DA253C011414607D375BE52@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <4262AC0DB9856847A2D00EF817E81139243728@scygexch10.cygnacom.com> <CALzYgEeei9wC0mi6sBBpp6wJWugh5PwridooyA7qAL+UcNzRLA@mail.gmail.com> <4262AC0DB9856847A2D00EF817E81139243DF5@scygexch10.cygnacom.com> <CALzYgEf4k-+AXytSfNJiwJ_qbA_1_HV3hSb6a8Ney6xr8R4-sQ@mail.gmail.com>
In-Reply-To: <CALzYgEf4k-+AXytSfNJiwJ_qbA_1_HV3hSb6a8Ney6xr8R4-sQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/33T6hrJXwjImU6Fr6A4SAKLzpyo
Subject: Re: [Trans] Goals and generic mis-issuance fgramework
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2014 14:07:11 -0000
Eran, > In that case, how about including the CCID and the results of the > checks the log performed in the get-sth response, but not in the SCT > itself? The SCT will be available to the client (in the cert or as part of a handshake), so the CCID needs to be there for the client to take advantage of it. > The log could still sign the complete get-sth reply so submitters get > a confirmation it is indeed the log which performed the checks, and > TLS clients will not be burdened with handling another field in the > SCT there's no immediate use for. If, as Ben has recently suggested, there are few or no client mandated client checks, then all of the SCT data has no immediate use :-). More to the point, it behooves us to decide on an SCT format that need not change for a while, so as to minimize the impact on clients and Monitors. > As I said, I see the value in getting an "independent opinion" on the > validity of a chain submitted to the log (both in syntactic and > semantic compliance perspectives) and is much more useful than the > current error handling approach (where the log returns a vague error). > I just like to exclude this information from being embedded in the SCT > if it's not useful for TLS clients. I think I've provided a few examples of how it might be used by clients. Steve
- [Trans] Goals and generic mis-issuance fgramework Stephen Kent
- Re: [Trans] Goals and generic mis-issuance fgrame… Rick Andrews
- Re: [Trans] Goals and generic mis-issuance fgrame… Stephen Kent
- Re: [Trans] Goals and generic mis-issuance fgrame… Russ Housley
- Re: [Trans] Goals and generic mis-issuance fgrame… Rick Andrews
- Re: [Trans] Goals and generic mis-issuance fgrame… Santosh Chokhani
- Re: [Trans] Goals and generic mis-issuance fgrame… Eran Messeri
- Re: [Trans] Goals and generic mis-issuance fgrame… Rick Andrews
- Re: [Trans] Goals and generic mis-issuance fgrame… Santosh Chokhani
- Re: [Trans] Goals and generic mis-issuance fgrame… Eran Messeri
- Re: [Trans] Goals and generic mis-issuance fgrame… Santosh Chokhani
- Re: [Trans] Goals and generic mis-issuance fgrame… Stephen Kent
- Re: [Trans] Goals and generic mis-issuance fgrame… Phillip Hallam-Baker
- Re: [Trans] Goals and generic mis-issuance fgrame… Stephen Kent
- Re: [Trans] Goals and generic mis-issuance fgrame… Stephen Kent