IETF Logo Mail Archive

Re: [Trans] Relaxing section 5.1

Rob Stradling <rob.stradling@comodo.com> Wed, 14 December 2016 15:03 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8236B1296C8 for <trans@ietfa.amsl.com>; Wed, 14 Dec 2016 07:03:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g-IQ224eiq9t for <trans@ietfa.amsl.com>; Wed, 14 Dec 2016 07:03:16 -0800 (PST)
Received: from mmextmx1.mcr.colo.comodoca.net (mmextmx1.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C62CD129702 for <trans@ietf.org>; Wed, 14 Dec 2016 07:03:15 -0800 (PST)
Received: (qmail 9952 invoked by uid 1004); 14 Dec 2016 15:03:13 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx1.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Wed, 14 Dec 2016 15:03:13 +0000
Received: (qmail 11010 invoked by uid 1000); 14 Dec 2016 15:03:13 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Wed, 14 Dec 2016 15:03:13 +0000
To: "trans@ietf.org" <trans@ietf.org>
References: <CAK6vND8_4OQ0du0MC8Z5=NJR5ho1EpT-8H41O+Te9tvM3YeNcg@mail.gmail.com> <CALzYgEcuf+WoUVy=vsPYJ7t49ASe_5Tc7ySOuKoYJMzpODHtSA@mail.gmail.com> <1c7240d7-f38d-2011-ad45-587843e0f1f8@gmail.com> <CAK6vND_XeyQsO=4pP12e3HL+r8Cdw_M7Gm1SB5zoQKGHbKUP7w@mail.gmail.com> <CABrd9SQ506fFGvrEj=Sknb-Lm3HESGwOvcuG84xovttxwirYSw@mail.gmail.com> <CAK6vND9b4oEOnZR=PtWw-znbsu785Gps87jumAXgFjkro-tptg@mail.gmail.com> <CABrd9SQnFApjrn2zOekHcfgvV6NyFFTr9ObwUdncsUggc7cFNg@mail.gmail.com> <CAK6vND-sy2vCP4dufSBV0_-tT3BU1EOj-T4MJnObOQaeO3V2xg@mail.gmail.com> <CABrd9SQf3Sp=C9JZgf=OGY2pLL+-cNfxLKWPFq263yGFQ-4Dag@mail.gmail.com> <CALzYgEfdDpHkKUZMfLoTd56kXHnE1jQKkSTkwnv3SA1t+Pbr8A@mail.gmail.com> <CABrd9SS7=TuLK8WfkULUr9C6p-sri2yj17qsZeYgYbqgHkygDA@mail.gmail.com> <CALzYgEd-wEd-oNuHUMc3k3FzjN-01v6GnNnCsKiUkS2+e3+V1w@mail.gmail.com>
From: Rob Stradling <rob.stradling@comodo.com>
Message-ID: <0415b9df-f67e-c19a-38d0-02135cc47a29@comodo.com>
Date: Wed, 14 Dec 2016 15:03:13 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <CALzYgEd-wEd-oNuHUMc3k3FzjN-01v6GnNnCsKiUkS2+e3+V1w@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/67vJuqUlcMxrnshl3h0FfwQiuTw>
Cc: Eran Messeri <eranm@google.com>, Ben Laurie <benl@google.com>, Peter Bowen <pzbowen@gmail.com>, Melinda Shore <melinda.shore@gmail.com>
Subject: Re: [Trans] Relaxing section 5.1
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2016 15:03:22 -0000

On 17/11/16 12:21, Eran Messeri wrote:
> FYI this is the change to the draft:
> https://github.com/google/certificate-transparency-rfcs/commit/bf6603e10affbee97b07e33265494efbd07c833f

FYI, I did a couple of other tweaks, for consistency with this change.

https://github.com/google/certificate-transparency-rfcs/commit/d5087815f84510f90d0d0649a5d9f0fb402cc6af

> In addition to the change from MUST to SHOULD, I've added an example as
> to why the a log may chose to reject valid submissions.
>
> Eran
>
> On Wed, Nov 16, 2016 at 8:26 PM, Ben Laurie <benl@google.com
> <mailto:benl@google.com>> wrote:
>
>     On 16 November 2016 at 02:00, Eran Messeri <eranm@google.com
>     <mailto:eranm@google.com>> wrote:
>     > My proposed compromise at the trans workgroup meeting yesterday was to
>     > change the MUST in the following paragraph to a SHOULD:
>     > "Logs MUST accept certificates and precertificates that are fully valid
>     > according to RFC 5280 verification rules and are submitted with such a
>     > chain."
>     >
>     > I believe that this change allows creating logs that can reject valid
>     > submissions under some circumstances while complying with 6962-bis. And we
>     > wouldn't have to go through WGLC again for such a change.
>
>     This seems like a reasonable plan (mildly surprised such a change can
>     be made without WGLC, tho!).
>
>     >
>     > On Sat, Nov 5, 2016 at 12:42 AM, Ben Laurie <benl@google.com
>     <mailto:benl@google.com>> wrote:
>     >>
>     >> On 4 November 2016 at 14:07, Peter Bowen <pzbowen@gmail.com
>     <mailto:pzbowen@gmail.com>> wrote:
>     >> > On Fri, Nov 4, 2016 at 6:33 AM, Ben Laurie <benl@google.com
>     <mailto:benl@google.com>> wrote:
>     >> >>
>     >> >> The bit you didn't quote does say they the log has to accept valid
>     >> >> certs, tho: "Logs MUST accept certificates and precertificates
>     that
>     >> >> are fully valid according to RFC 5280 [RFC5280] verification
>     rules and
>     >> >> are submitted with such a chain."
>     >> >
>     >> > Sorry about that.  So the three MUSTs together are:
>     >> >
>     >> > - Logs MUST verify that each submitted certificate or
>     precertificate
>     >> > has a valid signature chain to an accepted trust anchor, using the
>     >> > chain of intermediate CA certificates provided by the submitter.
>     >> >
>     >> > - Logs MUST reject submissions without a valid signature chain
>     to an
>     >> > accepted trust anchor.
>     >> >
>     >> > - Logs MUST accept certificates and precertificates that are fully
>     >> > valid according to RFC 5280 verification rules and are
>     submitted with
>     >> > such a chain.
>     >> >
>     >> > When I read these together, I read that Logs must accept _any_
>     >> > certificate that is fully valid according to RFC 5280 verification
>     >> > rules and chains to any root the log trusts and logs must
>     _only_ log
>     >> > such certificates (and no others).
>     >> >
>     >> > If this is accurate, we need to account for all types of
>     certificates
>     >> > being logged, as a log cannot choose to reject certificates for
>     usages
>     >> > other than server authentication and the log cannot reject
>     >> > certificates that have personal information (e.g. an server
>     >> > authentication certificate that states which human requested the
>     >> > certificate in the subject).
>     >> >
>     >> > This seems like a very strong assertion of policy rather than a
>     >> > technical discussion of how the CT protocol works.  I would
>     again ask
>     >> > the WG to reconsider the requirement levels specified in this
>     section.
>     >>
>     >> FWIW, I tend to agree. I would also note that operationally, we have
>     >> already discussed options for logs that are incompatible with these
>     >> requirements, for example:
>     >>
>     >> * sharded logs (e.g. by hash(cert) mod n).
>     >>
>     >> * logs that only accept short or long lifetime certificates (this
>     >> would allow the working set to be reduced in size for CAs that
>     issue a
>     >> lot of short-lived certs).
>     >>
>     >> _______________________________________________
>     >> Trans mailing list
>     >> Trans@ietf.org <mailto:Trans@ietf.org>
>     >> https://www.ietf.org/mailman/listinfo/trans
>     <https://www.ietf.org/mailman/listinfo/trans>
>     >
>     >
>
>
>
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

v2.30.2 | Report a Bug | By Email | System Status