IETF Logo Mail Archive

Re: [Trans] overview of remaining(?) DISCUSS items for draft-ietf-trans-rfc6962-bis-33

Rob Stradling <rob@sectigo.com> Thu, 19 September 2019 13:53 UTC

Return-Path: <rob@sectigo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ED101200CC for <trans@ietfa.amsl.com>; Thu, 19 Sep 2019 06:53:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PGvFj6D0wLeh for <trans@ietfa.amsl.com>; Thu, 19 Sep 2019 06:53:04 -0700 (PDT)
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (mail-eopbgr690061.outbound.protection.outlook.com [40.107.69.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11192120074 for <trans@ietf.org>; Thu, 19 Sep 2019 06:53:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iB4R3DAdwSF/7TWhOE3PQKsYe6g6/cOVRIFFDe04zzCa6pLXsbwo0YjM8ZKQdN68NRXd/TnNi3bhUJscTOalPRx5vNjXE87voHuQSuhdGZLbBIZ/1cUv9t2aQE5N+Z/9fgskZGDXEzl/SbklGnGiwDoajNiqQs3KzFrbbsnbRjdIUigSAJEN3YqMEsaC8M5uVeGak3NzFi1krVV3wEMRGKFUhrFpi/Sx2RVfNgfyZzNznDJhmDtDIPbwfVCOsLnh0Bml8wC1LtQjB3RBSehwTPZl7WAxV8FaYlLfiIcYV+7hmyh+9WwQqNxRf80wTSTiuM8q/32MLK0rfW4eozO4XA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dnUMrqtWPura2XkYk1I422DrLvM0Rdk1MScrFHHpXWI=; b=NZaqQLpA5LByz9gR3fwFdo6/vy/rUPnpTZph80sdUIbhBPtD0XDZgOM6Q95icU+QndkdSStGmPH1niiPn+xrr2bQtXki48xMAuAe+ZRri3ZUlukZhsRjqgXVJgXvdjLHL70f3wo+4G0HJHo70RNBJZwKOCaxCTaXprQswH+j6IVgHjWQKx/43BlVWdR70bCqm21w1y9geeLDsP0F3PGxgWJ/161/ChDan2496kJEbElneR1W5w3rd3oDhTXdFrwvCfhK5dbVU25uY1eF+og1jiYyFyzz7ZnHE7ItG0R2jTzfD8SLLcPXA6mHDdiy3szvvfVji9n/ermESnIbs2CoNw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sectigo.com; dmarc=pass action=none header.from=sectigo.com; dkim=pass header.d=sectigo.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector2-comodoca-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dnUMrqtWPura2XkYk1I422DrLvM0Rdk1MScrFHHpXWI=; b=bCTTJDD9Cb0v73ejJYcZ/UobYlWPtJKPXIbQs7ixwZ4StVBoShmBeQ8iwG6FTPa5bcBFhpJcfGbdkoqG0/DvLNSuGv4ZvhxwWvjd4FERbJrPGMWY78N9JkS9HwFKbGnqs8zJmlR14hnHTM5x5CH0QXh4ui6EhlghIxQ1TkHavVY=
Received: from DM6PR17MB3162.namprd17.prod.outlook.com (20.176.124.223) by DM6PR17MB2393.namprd17.prod.outlook.com (20.177.216.94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.17; Thu, 19 Sep 2019 13:53:02 +0000
Received: from DM6PR17MB3162.namprd17.prod.outlook.com ([fe80::dc78:38ff:9fc6:58cf]) by DM6PR17MB3162.namprd17.prod.outlook.com ([fe80::dc78:38ff:9fc6:58cf%3]) with mapi id 15.20.2263.028; Thu, 19 Sep 2019 13:53:02 +0000
From: Rob Stradling <rob@sectigo.com>
To: Paul Wouters <paul@nohats.ca>, Trans <trans@ietf.org>
Thread-Topic: [Trans] overview of remaining(?) DISCUSS items for draft-ietf-trans-rfc6962-bis-33
Thread-Index: AQHVblRQ0CWg5MVGO0ywZM7RXIf1a6czBmsA
Date: Thu, 19 Sep 2019 13:53:02 +0000
Message-ID: <b6ec6a38-a4c2-64b4-0584-d13deead2605@sectigo.com>
References: <alpine.LRH.2.21.1909181506160.11898@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1909181506160.11898@bofh.nohats.ca>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LO2P123CA0016.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:a6::28) To DM6PR17MB3162.namprd17.prod.outlook.com (2603:10b6:5:192::31)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a0e:ac00:25d:300:f68e:38ff:fe7a:a226]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2dfac7a0-db94-47b2-9d4c-08d73d08aff4
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM6PR17MB2393;
x-ms-traffictypediagnostic: DM6PR17MB2393:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DM6PR17MB23938FF34C969296E47389CAAA890@DM6PR17MB2393.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 016572D96D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(396003)(136003)(39850400004)(366004)(199004)(189003)(102836004)(31696002)(110136005)(316002)(386003)(6506007)(11346002)(66574012)(86362001)(71200400001)(71190400001)(446003)(76176011)(2616005)(7736002)(305945005)(52116002)(46003)(6486002)(186003)(6436002)(6306002)(6512007)(31686004)(53546011)(99286004)(36756003)(6246003)(25786009)(8676002)(81156014)(81166006)(256004)(14444005)(486006)(8936002)(476003)(229853002)(966005)(66446008)(66476007)(2906002)(478600001)(64756008)(14454004)(6116002)(5660300002)(66946007)(66556008); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR17MB2393; H:DM6PR17MB3162.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: m1voSGL7rtE9FN5tbNx4GMmt8zMLGG1qXlZ6QokJwiuUrbFdlZds0MsiTriI9svdJ7A+p6y+MkhzIPnntXDRGcGUkmwdQhIFqNBHmSd2DRJ55FBjqat3oeob5Mxv0VBQ8oq+Ww7Cft83lZUQ8bPgyP8SsJyCQXBcUx04mcgg8TPN518Obsip9Z1wL8Ih8GhujAEM81uUQT5A05wZ6vT1E9Dax1DLUXBvj7TlcaL4BNkcuzildPGgO7LRU9+BD1bsXe/IdjC6iwkDLR/S9OUWT0m9TxbOibJ6no7hfzMrORAFTwoSmFSFj/dn35QfHRk9eGu8K1lVstOUyOLNWIHKI0yJtoD69RNzkLIUBkX8OiVuA5YsTFtwaP6H/NZyod9m5D+oBhjtqbmHtxbodiHkweR16gIryS7jOqsZMov0w0Y=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-15"
Content-ID: <FDE4544F73DFCA44B5748FA8F4E32824@namprd17.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2dfac7a0-db94-47b2-9d4c-08d73d08aff4
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2019 13:53:02.0289 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WDNHmznex434GH+aqt2PjKuu0NqocZPr2fYamuuSRCu7IRV4ODR9mDfqMsxpA3ltPqrUU/4ygpyTMtwGyngN6g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2393
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/6Qw4aXWuDgei4z9i0mIPsqSsFnA>
Subject: Re: [Trans] overview of remaining(?) DISCUSS items for draft-ietf-trans-rfc6962-bis-33
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 13:53:07 -0000

On 18/09/2019 20:07, Paul Wouters wrote:
> On Wed, 18 Sep 2019, Rob Stradling wrote:
> 
>> No comments received after a week, so I'm going to merge PR 312 now and
>> publish -33.
> 
> Looking at the DISCUSS items, I see some minor items that seems to
> require some small edits. Can the authors answers these DISCUSS
> questions cited below and let us know if they will do another revision
> or whether they consider all DISCUSS items below resolved?
> 
> Paul

Hi Paul.

> Alissa Cooper:
> 
>      = Section 10.3 =
> 
>      This section needs to state what the registry policy is for the code
>      points not already registered (presumably Expert Review given 10.3.1,
>      but it needs to be explicit).

This was addressed by PR 309, in this commit:
https://github.com/robstradling/certificate-transparency-rfcs/commit/7cd3471548c903fd891a99227bf081ca51939470

>      = Section 10.6.1 =
> 
>      FCFS registries by definition can require additional information to be
>      provided in order to get something registered. For avoidance of
>      confusion I think the assignment policy should be listed as First Come
>      First Served and the requirement that parameters be included in the
>      application can use a normative MUST in the last paragraph if there is
>      concern that the parameters won't be supplied.
> 
>      However, I also wonder what will be done with the parameters that are
>      supplied. Is IANA expected to just maintain them privately, or to
>      publish them?
> 
>      What is expected to appear in the 'Log' column in the registry?

This was addressed by PR 309, in this commit:
https://github.com/robstradling/certificate-transparency-rfcs/commit/704a71a18457b4558ce26fe4be519d6ea06a729a

> And let me add my own question regarding 10.6.1. Should we expect these
> registry entries can change over time? If so, is it definied anywhere what
> consumers are supposed to do or how they are supposed to find out, that a
> log base url has changed? Shouldn't such a change be done using a new OID?

Since the OID (the Log ID) appears in each of the signed log artifacts 
(SCTs, STHs), I think trying to change the OID of an existing log would 
be pretty disastrous.

However, I agree that there could be legitimate reasons for wanting to 
change a log's base URL.  For example, in the currently deployed CT v1 
ecosystem, it would be really nice if Sectigo could update the base URLs 
of our Mammoth and Sabre logs.  ({mammoth,sabre}.ct.comodo.com made 
sense when we set up these logs, but then Sectigo (formerly Comodo CA) 
was carved out of Comodo).

Having said that though, I think the best approach would be to add a 
sentence to the document that says that log base URLs MUST NOT change. 
Nice and simple.

> Benjamin Kaduk:
> 
>      Sections 4.11 and 4.12 have arrays of NodeHash to carry consistency 
> and
>      inclusion proofs, respectively, with minimum array size of 1.  
> However,
>      Sections 2.1.4.1 and 2.1.3.1 (respectively) seem to admit the
>      possibility of zero-length proofs in degenerate cases
> 
> Mirja Kühlewind:
> 
>      There was a presentation at maprg IETF 103 about the question if CT
>      helps attackers to find new domains. I think this risk should at least
>      be mentioned in the security considerations section.
> 
> To answer Mirja, the work to discuss these were going to appear in the
> threat model draft. Unfortunately, this document got stuck due to
> unworkable differences between the author and the WG. While I don't
> object to adding a sentence covering your DISCUSS, I do not believe the
> WG should try to cherry-pick content of the threat document at this
> stage. So I think we should limit the Security Considerations to the
> specific bis document specification, and not include issues that cover
> the whole the CT ecosystem.
> 
> Alexey Melnikov:
> 
>      I think you need to register [log client message type URN] in 
> <https://www.iana.org/assignments/params/params.xhtml#params-1>
> 
>      Also, can you clarify whether error need an IANA registry?

We have not yet made any attempt to respond to the DISCUSS/COMMENT items 
from Benjamin Kaduk, Mirja Kühlewind, and Alexey Melnikov.

Now that the lengthy debate about BCP190 is over, I do intend to look at 
these remaining items soon.  I will be looking for help to address 
Benjamin's COMMENTs on section 2; I am not a cryptographer, and I want 
to ensure that these comments are satisfactorily addressed.

-- 
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

v2.23.0 | Report a Bug | By Email