Re: [Trans] DNSSEC also needs CT
Ben Laurie <benl@google.com> Tue, 13 May 2014 11:52 UTC
Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E6D01A008D for <trans@ietfa.amsl.com>; Tue, 13 May 2014 04:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.029
X-Spam-Level:
X-Spam-Status: No, score=-2.029 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Bm9kwLvUvwA for <trans@ietfa.amsl.com>; Tue, 13 May 2014 04:52:05 -0700 (PDT)
Received: from mail-ve0-x231.google.com (mail-ve0-x231.google.com [IPv6:2607:f8b0:400c:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id 61B041A0084 for <trans@ietf.org>; Tue, 13 May 2014 04:52:05 -0700 (PDT)
Received: by mail-ve0-f177.google.com with SMTP id db11so254561veb.22 for <trans@ietf.org>; Tue, 13 May 2014 04:51:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tCMtZj3lWFO/Fb4tMEwm+GTzqpjjYtFGEhhsVflJAoE=; b=Y9JBL6OZ9wUtWR/edG76sI570brGceNFE4Ji+0uMtBO6bRL8LYTOFO8Ni50KRjXDSx RN0SAMH1BvW2fsLhiB09qVJ+NsjD36T7fVluuJs+/G77n8Rp32f+DjBFpJNEBHuqiG4C 3rPLr8SXT8bduWPx7Keot+Ows2ebwBrd8ity7ChYtM390q94G4mFgB6RETsXvelj2WvR /OZtxHfOdP1RNxVhS4dW0D9vYcxrd6hZcrgwAJIF0HHmlKMGlRwUvgvgT/2U+9skYv9k m6ITYC/TZo2j4hHwL0u/rzYMkNEZP10hhnDUECaEszRwGxNKWqZwbLHTtzK0H3mTl+Ln Ooaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=tCMtZj3lWFO/Fb4tMEwm+GTzqpjjYtFGEhhsVflJAoE=; b=K8YWo/RaJ587ofK/yo92tm+1PpnGw03F6hvwrlzbimslXgOwHVfrjY9PkC3faqfziy r6p4DFl/MM468FLz7nRK1rBm9KVCSGv864WlBoL5m6+gm8aTV/a/b3p5af64lgTlAx4W Z1l2riuLBPQ90B8NYU1su03fqOEcC7AVZV+1l6DaaDEbJQuhT2u9RT4+Sg6gSEcIjhxC sgtzvhL8jmfnQoKTVa6m7vwlm8z5yxI2Jk3IEjs5yo79j0N+z6uLEP6j5BiFBo+a8cgB I+qufMd4dYYcEXPq3L4flXvLQusIG4lr7qxBxSfPE8xamw5zAHME4HKZgiS57XjyUK2i Lrtg==
X-Gm-Message-State: ALoCoQlncMFTOVIClARbLPxrbKefZn/Qx49hgGUIAKiCK+QKHjZ4ri+IuL+J6fj83lv8egWi0BU2
MIME-Version: 1.0
X-Received: by 10.221.42.135 with SMTP id ty7mr28732645vcb.14.1399981918932; Tue, 13 May 2014 04:51:58 -0700 (PDT)
Received: by 10.52.252.97 with HTTP; Tue, 13 May 2014 04:51:58 -0700 (PDT)
In-Reply-To: <CAK3OfOiC+5+s2UtSEP788W23tHq6VQSQfMsUboUp16L-27zsvQ@mail.gmail.com>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <CAMm+Lwieij8Tm8V-gpE0eAfwie1dgtFL_Ga8dPkJFKJKLQDAcA@mail.gmail.com> <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com> <CAHw9_iKpN7AXfrH6SzroMukrKTPR5z24U9KfWpVW-F2R_wX3ag@mail.gmail.com> <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca> <CABrd9ST7K-7RGwGD2G+kDcVSceC2ZJ-5Tz2tdp5NWa3cqBK+-w@mail.gmail.com> <CAOe4Ui=nqmCfjBYNE2CJtEs1jnbavpY4Dv-T3FRDdAwAA2dScg@mail.gmail.com> <CAK3OfOiYMJkXVR+QsCzEV0ir6u53coJz0b-JdGGD5bTTz5YcMg@mail.gmail.com> <CAOe4Ui=u0fkm9_nuXx_6gpH6jHM5pBvzjzru9O8y3bpLkA0qmw@mail.gmail.com> <CAK3OfOi6y=QAMXe_2axiavxwR5nS2Uv8SM4JxQHsvEKbUyNGCA@mail.gmail.com> <CAOe4Uimvc6e6u=fJjM1-iaOTepA33Sx5CBjMV9dB8sSLqtZoWA@mail.gmail.com> <CAK3OfOhdhWdGvvhuaGyE_p5kLy0ZX-V5sAXfoLGP_8d8vPJDgg@mail.gmail.com> <CAOe4Uik+fjM4wTVBiFxphVZAwVYBPgd1a9xUyUBMSFy30SWNLg@mail.gmail.com> <CAK3OfOiC+5+s2UtSEP788W23tHq6VQSQfMsUboUp16L-27zsvQ@mail.gmail.com>
Date: Tue, 13 May 2014 12:51:58 +0100
Message-ID: <CABrd9STYxmK6gg7a5wDtejdc_Y0aD9hwQkHpFu3HbxVbMZDQHQ@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="001a11339974f86e1304f946b008"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/35_3vQhVCbljIK3tTByH5qqAbxw
Cc: Paul Wouters <paul@nohats.ca>, "trans@ietf.org" <trans@ietf.org>, Joseph Bonneau <jbonneau@gmail.com>, Warren Kumari <warren@kumari.net>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 11:52:07 -0000
On 13 May 2014 07:34, Nico Williams <nico@cryptonector.com> wrote: > On Tue, May 13, 2014 at 12:22 AM, Joseph Bonneau <jbonneau@gmail.com> > wrote: > >> Is CT intended to be run all the way from the root to the CAs furthest > >> from the root? I didn't think it was, and if it is, please tell me. > > > > Yes, it is. The goal of CT is that browsers will eventually reject any > > end-entity TLS certificate that doesn't have an SCT. I believe this is > true > > regardless of the number of intermediate CAs in the cert's path to a > trusted > > root. There's an exception for trust anchors manually added to the > browser > > to accommodate private CAs, but essentially all certificates that > standard > > browsers will accept out of the box must be logged. > > Ah, yes, and actually we should want the same for DNSSEC. The problem > then becomes privacy. But I think we can achieve that by not logging > names, just hashes of the relevant RRsets, no? Since public keys will > generally be part of the relevant RRsets this won't help zone > enumerators. > Is it necessary to log anything other than keys? My base assumption was no: if the keys are as expected, then all records signed by those keys can be trusted. If someone wants to publish RRsets that are other than the one the true domain owner wants to publish, they necessarily have to inject a key they control, which becomes apparent from the logs. -- Certificate Transparency is hiring! Let me know if you're interested.
- [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Mehner, Carl
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Warren Kumari
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Salz, Rich
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- [Trans] Volunteer opportunity! (was Re: DNSSEC al… Melinda Shore
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.1 (5) Re: DNSSEC also needs … Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 7.971 (5) Re: ***SPAM*** 8.1 (… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- [Trans] ***SPAM*** 8.1 (5) Re: Re: DNSSEC also ne… Daniel Kahn Gillmor
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Melinda Shore
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… i-barreira
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- [Trans] trans doc issues Stephen Kent