IETF Logo Mail Archive

Re: [Trans] WGLC started for draft-ietf-trans-threat-analysis

Ryan Sleevi <ryan-ietf@sleevi.com> Tue, 15 May 2018 15:34 UTC

Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EAB212D94C for <trans@ietfa.amsl.com>; Tue, 15 May 2018 08:34:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d04z_dXez5MN for <trans@ietfa.amsl.com>; Tue, 15 May 2018 08:34:32 -0700 (PDT)
Received: from homiemail-a109.g.dreamhost.com (homie-sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9C7B12DA43 for <trans@ietf.org>; Tue, 15 May 2018 08:34:28 -0700 (PDT)
Received: from homiemail-a109.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a109.g.dreamhost.com (Postfix) with ESMTP id D7BD220047388 for <trans@ietf.org>; Tue, 15 May 2018 08:34:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=vTtOSD7u7KusVXjAbK/63mUrcHI=; b= tpgcIoFCVeEjdtnVaD9JXENE0exjTlNfsaVuFXSZRvvx4asQ8PcrHHppxqV36ztn l1EI4OnbQj2jOuIou+XyOCGAwxFT3zRJpxqtynqaPJXyy3XfyKAWWuzjhRY+a1TW xjF/5fyTqrKvvUn6dlADnfyKWEs8GLsHzvCaJwJid84=
Received: from mail-it0-f52.google.com (mail-it0-f52.google.com [209.85.214.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a109.g.dreamhost.com (Postfix) with ESMTPSA id C9B6720047386 for <trans@ietf.org>; Tue, 15 May 2018 08:34:27 -0700 (PDT)
Received: by mail-it0-f52.google.com with SMTP id q4-v6so2680221ite.3 for <trans@ietf.org>; Tue, 15 May 2018 08:34:27 -0700 (PDT)
X-Gm-Message-State: ALKqPwftXMGJnIkZutwgzqbOotxY6pi1OU2PGfYDk40jernGJKft4bD/ DsDkO0zG9Nc4+yTaVjEKxu3qWmiAOjAXatOeDQk=
X-Google-Smtp-Source: AB8JxZrv50pOj4dIHGISHyBc2ieGiWg6YV5i9EFdvoTgN+H/UQ7yaaEtV4d7xhKZrzbGW9BJT2zV3SReRJh24tU5xEE=
X-Received: by 2002:a6b:10a0:: with SMTP id 32-v6mr17342779ioq.78.1526398467154; Tue, 15 May 2018 08:34:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:985a:0:0:0:0:0 with HTTP; Tue, 15 May 2018 08:34:26 -0700 (PDT)
In-Reply-To: <fdcddd94-fd7a-9275-7aec-916537326c0b@nist.gov>
References: <alpine.LRH.2.21.1804161658150.17034@bofh.nohats.ca> <20180507122941.300b69582fa3acdb52b625af@andrewayer.name> <alhGtNm005X-hBR82niHi9RpJoLosgZF8ah8HC4qLzFX0PPStVGSTbgJtP-zrg1u8vgfb_IiQ70ANuRua2kjRf4zwutQHVRo3pE2PCgZfHo=@zerho.info> <CAErg=HH7XM=a3fyYeSLnGA+C1iYrZT6VRPdpMfJw-JVqUirjEA@mail.gmail.com> <fdcddd94-fd7a-9275-7aec-916537326c0b@nist.gov>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Tue, 15 May 2018 11:34:26 -0400
X-Gmail-Original-Message-ID: <CAErg=HG3aKozAk3Q4k99ecEywNWJ830F-TXxypLCfh1-r8Cp5A@mail.gmail.com>
Message-ID: <CAErg=HG3aKozAk3Q4k99ecEywNWJ830F-TXxypLCfh1-r8Cp5A@mail.gmail.com>
To: "David A. Cooper" <david.cooper@nist.gov>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, Trans <trans@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006bad73056c405602"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/6fjyhKimcySqLv8dW_cAlGdrqgc>
Subject: Re: [Trans] WGLC started for draft-ietf-trans-threat-analysis
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2018 15:34:34 -0000

On Tue, May 15, 2018 at 10:50 AM, David A. Cooper <david.cooper@nist.gov>
wrote:

> I can't speak for Steve, but I can provide an example of a syntax error I
> encountered as a result of "quirks of CA certificate-issuing software."
>
> Many years ago when I was tasked to check whether certificates being
> issued by a CA were being issued in conformance with the appropriate
> profile, I discovered that the keyUsage extensions in the certificates were
> not DER encoded. The contents of the extension were correct according to
> BER, but not DER, and everything else about the certificate was correct.
>
> This must have been the fault of the developer of the CA software and not
> the company operating the CA. This would not be a security or trust failure
> by the CA and most clients wouldn't even notice the problem. There would,
> however, be the risk that some client software somewhere would not accept
> the certificate simply because of the encoding problem, so it was useful
> for the encoding problem to be identified and fixed.
>

I think we may disagree on this assessment. I agree that it presents an
interoperability issue - but I think a failure of the CA to actually ensure
that their software conforms to the profile is a grounds for concern. We've
seen a spectrum of CAs and competencies - and I know of some CAs that have
expressly written tools to ensure everything they issue conforms to the
appropriate profile (i.e. they actually understand their systems) versus
CAs that think that if you use some COTS product, you've got Production
Grade issuance.

CT very much cares about detecting these issues, in practice, and in fact,
it's the detection, discovery, and mitigation of precisely these sorts of
issues that have demonstrated the most immediate practical value. Further,
because of the existence of such linting tools, CAs are now expected to run
such linting tools prior to their issuance.

It is thus, to that end, that having logs reject such certificates (i.e.
logs as linters) that would undermine the development of and enforcement of
issuance policy. Linting-as-a-service is provided by separable endpoints,
and while such services can mask the underlying issues that CAs have,
that's conversely part of the goal of having such APIs - to check a
tbsCertificate before the CA has actually signed the material, while
checking a precertificate/certificate means that the CA has actually signed
it, and is notable for detection and censure.

v2.23.0 | Report a Bug | By Email