IETF Logo Mail Archive

Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15

Tim Hollebeek <tim.hollebeek@digicert.com> Fri, 28 September 2018 14:37 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD168130DF7 for <trans@ietfa.amsl.com>; Fri, 28 Sep 2018 07:37:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tSY4WJZYZJrC for <trans@ietfa.amsl.com>; Fri, 28 Sep 2018 07:37:51 -0700 (PDT)
Received: from mail1.bemta23.messagelabs.com (mail1.bemta23.messagelabs.com [67.219.246.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41539130DEA for <trans@ietf.org>; Fri, 28 Sep 2018 07:37:51 -0700 (PDT)
Received: from [67.219.246.100] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-3.bemta.az-b.us-east-1.aws.symcld.net id 5C/E0-27986-EBC3EAB5; Fri, 28 Sep 2018 14:37:50 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTe0gUURTGvTPj7Ky6Ne5anpaeS2Vos7j2QDP SIsKKKKIitKhZd3KX1nXZWWvtn+yhlJa9THJJlDID23yU0ousZC0zsVYxzNAw7SWVRkEPsJrx rj3++93znXO+7w53GFI9SGsZweUUHDbeqqODqK7pdRu424urUqKPXJoZe7G2mIg9+aIExRZcO UbFXu73UYlU0g13jyKpvPw7kbS/tYlMOnDrFrWOSg602IwZru2B5k53lv1qvOthd4ciG72Iy0 NBDMUeISF35CaSD2r2BAFlvgECH3oR5Fd1k3lIydBsNDy9/YCQOYxdAa2+ntE6ya6Bn121ijz EMBrWCGc/A25JhY5X+0nMyyC7oQbJTLGz4FF/KS2zit0KRfWFCuzlQfC6qY2Q9yjZBXD+1FK5 B7ET4WuLh8BW4dA9UDrKwIZBn+8RjXkCvOv/GYh5KnhHvikwT4H20vzRiwF7RwEFOSP+AQ6GT 58mZS+Q8ldfWIF72hFU19X765Fw6e1KnGELlHxu9I9aobqmiMIcCYe8bmLMt/JoH+X3IiG7rY jEwmQYPtXjD5dDw1Bupsxq1gSFlY30cRTl/udubmmeZMsQHH7TRblHP1IoPCweoHATBzcb7pK Yp8G1D2clVki8GOpMuDoDCvP7FJgXQm7bJ7oMMZVoodFhSTM703mLlTNER3MGQww3jzPExOn5 PZxRnylyAi86OYOe3y3qxaz0VKtJbxOcV5D07kx2ct91VHswrRFNYgjdBFXHzKoU9ThjhinLz IvmbY5MqyA2oskMowPV3nhJC3UIaYJrh8UqPd4xGZgQXZjqpCyrRDufLlrSsNSCOKbgec4ZUk 3ZMmyCNlx1WG5i5SZzpu3PirFfoB1N0WpUKCAgQB1iFxzpFuf/+iAKZ5BOo9otbwmx2Jx/nAa lEIQUIuyuRw7h5P9K2mykzd/1rL5m7Z313vUvI1fSqxwT96SOMx7VvPre+qOirjMnV7kj8Usf vyGCaYmKSQ4Ktmu2lwy9bN6c5xUa3ke89Zyf/yt4OGWjL3FJb1nCts29M5a7Zg9V6FYnnGtWt tyfG+Tbee3eoieF3og5TZ3xCRrlJs/4uKbUlMAh9Pjjp2DzUh0lmnlDJOkQ+d+dAxOM/QMAAA ==
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-9.tower-384.messagelabs.com!1538145468!225585!1
X-Originating-IP: [216.32.180.84]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.14.24; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 24786 invoked from network); 28 Sep 2018 14:37:49 -0000
Received: from mail-sn1nam04lp0084.outbound.protection.outlook.com (HELO NAM04-SN1-obe.outbound.protection.outlook.com) (216.32.180.84) by server-9.tower-384.messagelabs.com with AES256-SHA256 encrypted SMTP; 28 Sep 2018 14:37:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0abrFB9f4T1Z5dh4jJdu5kDbQFNpkngbCSyIbiIP7X8=; b=EjrtXfrxausJqMYjCybuiomeQFd4OfVvmTcgpY3Wlfia4Y5pMBaOs8yeDMHNuKtULFPtMwmnl9SxDkdW70xFfUuKafqFumN4X3etcSXgHFAGnxROSxEcsthtGIHmLBMq2ci2wzPa0pps7eAfzH5XKr7JkaDA8D1eqpVP6Um/fbI=
Received: from DM5PR14MB1116.namprd14.prod.outlook.com (10.173.131.10) by DM5PR14MB1308.namprd14.prod.outlook.com (10.173.132.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1185.22; Fri, 28 Sep 2018 14:37:48 +0000
Received: from DM5PR14MB1116.namprd14.prod.outlook.com ([fe80::d5d:fdb6:1213:cd40]) by DM5PR14MB1116.namprd14.prod.outlook.com ([fe80::d5d:fdb6:1213:cd40%10]) with mapi id 15.20.1143.022; Fri, 28 Sep 2018 14:37:47 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Trans <trans@ietf.org>, "stephentkent@gmail.com" <stephentkent@gmail.com>
Thread-Topic: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15
Thread-Index: AQHUVP+AQdWudXO7BES5ITS/YkIlLKUBeQCAgAODE4CAAMsFcA==
Date: Fri, 28 Sep 2018 14:37:47 +0000
Message-ID: <DM5PR14MB1116A7D338E1C53ADDEBFB3583EC0@DM5PR14MB1116.namprd14.prod.outlook.com>
References: <071bd596-07ec-fe8a-861c-3ef181fec848@gmail.com> <CAErg=HEschK1K9UwS79uOPjgeCxVy4cEDHzhCQxpJrc3LxqNDQ@mail.gmail.com> <20180928022909.GG24695@kduck.kaduk.org>
In-Reply-To: <20180928022909.GG24695@kduck.kaduk.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [8.46.76.52]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1308; 6:9N27RgLo69C3MUrvCDnIDcWhyF+bjwRlpnHD7BOt734OBisiYUaTQ25Z4evij61La2nqBylrWmR0PJWp6AZXbII//+W+4zzFxlSTGiQd4F8u7GFjNfKJOOIxwwRyoxUMMxhuLx4y3YmQOv3G2Y87xmzdgJUtMzhuyvvJUoy46RMYFNfoUgqGVt74TXPklq1jH9475YPK8U/Jd8r4ZLW5ANl6ssZE8tw1GzsgRLeGh9kGQwGO8YKVfTGbN7ahNt6fOKc/q/iT36ENfYVunPOjF3sW3uaI5FCuw/pshEzod6M6TmvNgYKqMCgJ6divThRO6d2XR2rCvhUklDI7MoXxHklGNm8HXtH9oiAUyVQPnIg3uDdjY/6YUvF5+iaMJDReyLlSAqfLv/kVJlMS89sT2f7kAED2PRH0jngmE2l0ZkVV0hPzHEJcXsnawLqofgwtOOj1yOTF18ZA0B/IvDeGMA==; 5:Tl1MN3Om39pqLELST8oq7+J3z0Fe1w7LR0qx8HqpgWVBuaaS1yJzw32lXhagbm4q2TFXDGUANVTX85eNJzBhvJVO6FXHa9wlSWBadypRXnWweoMXFMKSuxX8JdEIC4y3u8kLNv/A9BOkAo5sqNjjNWsc5J/NqFgsZcOoRshzmac=; 7:VG8vYJ1r9qL6U6cvSHgMxwNQg8spPD/xImGSNsMB4GD+CCf/528LMEEpOSfTP7QUiZhz9MOcPypuiAziPWZ8WFCklIPqn5J53lJfsWbqF7s3Eor6nJC3EW4K1Jw26hjn4nOzgcMLZeAEK4hIDF2Ah478D795YtBxwZzsVgBVnNuv8Vqotft2GsBz+uhVr6F9hv83e8RiMO2VETSj76ildErFd8R8ilsb+rn6EYi117O0L0N07+3zPuGO6rg1NNfW
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 1e562cf8-f753-401d-f1e8-08d6254ff601
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534165)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:DM5PR14MB1308;
x-ms-traffictypediagnostic: DM5PR14MB1308:
x-microsoft-antispam-prvs: <DM5PR14MB1308ABBCCCB361D2CB72836F83EC0@DM5PR14MB1308.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3231355)(944501410)(52105095)(3002001)(149066)(150057)(6041310)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(201708071742011)(7699051)(76991041); SRVR:DM5PR14MB1308; BCL:0; PCL:0; RULEID:; SRVR:DM5PR14MB1308;
x-forefront-prvs: 0809C12563
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(366004)(39860400002)(396003)(346002)(376002)(199004)(189003)(6506007)(68736007)(5250100002)(71190400001)(97736004)(71200400001)(76176011)(7696005)(229853002)(2900100001)(305945005)(74316002)(86362001)(6436002)(54906003)(99286004)(44832011)(110136005)(55016002)(53936002)(7736002)(9686003)(316002)(6246003)(256004)(476003)(186003)(478600001)(2906002)(2171002)(39060400002)(5660300001)(446003)(11346002)(6116002)(8936002)(486006)(66066001)(25786009)(3846002)(105586002)(106356001)(34290500001)(33656002)(102836004)(4326008)(99936001)(81156014)(81166006)(8676002)(26005)(14454004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1308; H:DM5PR14MB1116.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: or/VyDs2/pHQXK3MD8OMKELqXIUbz83ZF8/7YEETnWsB6GuRC1nxYrZ9oB+vE57hFxyvHHaOFujJT4/GuR/3w6zfVR0yrPpZfB2z+xFkp1fQ0ku+czIzpJQaVbbjGDR3aFT/z494P3hwA6O/tzefk/1anEVeJsFpID2TY9BxahMJ+z+hTN7ALKhwoBZ1tRvRBnDzON605R1lblnl2cD//j/xUp8seRXfD+p8kCET4K0hAb4XBRMFEI8/Co5SK8+ZoM/Sfi8LYADzVbDmtCVq/APIkxgVERsw5GkMG2MeE3PYU83JU575oqMwr0QhMmTgmc6m/K8X1nUK/wydu7nSj/U1r1avdl75BrCqdBT3qsA=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0018_01D456FE.18EA30B0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1e562cf8-f753-401d-f1e8-08d6254ff601
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Sep 2018 14:37:47.8299 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1308
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/WWekGDR6he9UHZnPHVjD5v50x3c>
Subject: Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2018 14:37:54 -0000

> For what it's worth, I do not read 6962-bis as "very much being focused"
on
> CA-based logging.  Consider, for example, certificate subjects submitting
> certificates to logs, something that is done without CA involvement and
can be
> done in response to (e.g.) Logs being distrusted or browsers increasing
the
> required number of SCTs.  It's unclear that CAs have as much incentive as
> subjects to be responsive to changing events in this way.

SCTs have to be included in the certificate so logging by third parties does
not help with that problem.

-Tim

v2.23.0 | Report a Bug | By Email