Re: [Trans] DNSSEC also needs CT

Nico Williams <nico@cryptonector.com> Tue, 13 May 2014 06:34 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 027BA1A07D0 for <trans@ietfa.amsl.com>; Mon, 12 May 2014 23:34:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CuCYlD2HJksj for <trans@ietfa.amsl.com>; Mon, 12 May 2014 23:34:48 -0700 (PDT)
Received: from homiemail-a27.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 606521A07C8 for <trans@ietf.org>; Mon, 12 May 2014 23:34:48 -0700 (PDT)
Received: from homiemail-a27.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a27.g.dreamhost.com (Postfix) with ESMTP id 5F47E598057 for <trans@ietf.org>; Mon, 12 May 2014 23:34:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=VY3w+GwU6/jCeYW5W7fD p8YSLLk=; b=hO7FoH5wGj2O0y2ImAWSC3qczFVz7bqBTp6teKm4w3vKCKVu+ex+ Tx/818fmLezVRJfSeOJSRoSF1a2oOX7WmzAgALuCxC3HP0Ap01t6w9L9MTH3ebT/ KoffkGV0OA+LynTMpfpMCY8bCRmV0xMNhs4KHJWQHNbo5F6uViyO9/4=
Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a27.g.dreamhost.com (Postfix) with ESMTPSA id 1425659805F for <trans@ietf.org>; Mon, 12 May 2014 23:34:41 -0700 (PDT)
Received: by mail-wg0-f47.google.com with SMTP id x12so7930829wgg.30 for <trans@ietf.org>; Mon, 12 May 2014 23:34:40 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.77.225 with SMTP id v1mr19079846wiw.5.1399962880808; Mon, 12 May 2014 23:34:40 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Mon, 12 May 2014 23:34:40 -0700 (PDT)
In-Reply-To: <CAOe4Uik+fjM4wTVBiFxphVZAwVYBPgd1a9xUyUBMSFy30SWNLg@mail.gmail.com>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <CAMm+Lwieij8Tm8V-gpE0eAfwie1dgtFL_Ga8dPkJFKJKLQDAcA@mail.gmail.com> <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com> <CAHw9_iKpN7AXfrH6SzroMukrKTPR5z24U9KfWpVW-F2R_wX3ag@mail.gmail.com> <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca> <CABrd9ST7K-7RGwGD2G+kDcVSceC2ZJ-5Tz2tdp5NWa3cqBK+-w@mail.gmail.com> <CAOe4Ui=nqmCfjBYNE2CJtEs1jnbavpY4Dv-T3FRDdAwAA2dScg@mail.gmail.com> <CAK3OfOiYMJkXVR+QsCzEV0ir6u53coJz0b-JdGGD5bTTz5YcMg@mail.gmail.com> <CAOe4Ui=u0fkm9_nuXx_6gpH6jHM5pBvzjzru9O8y3bpLkA0qmw@mail.gmail.com> <CAK3OfOi6y=QAMXe_2axiavxwR5nS2Uv8SM4JxQHsvEKbUyNGCA@mail.gmail.com> <CAOe4Uimvc6e6u=fJjM1-iaOTepA33Sx5CBjMV9dB8sSLqtZoWA@mail.gmail.com> <CAK3OfOhdhWdGvvhuaGyE_p5kLy0ZX-V5sAXfoLGP_8d8vPJDgg@mail.gmail.com> <CAOe4Uik+fjM4wTVBiFxphVZAwVYBPgd1a9xUyUBMSFy30SWNLg@mail.gmail.com>
Date: Tue, 13 May 2014 01:34:40 -0500
Message-ID: <CAK3OfOiC+5+s2UtSEP788W23tHq6VQSQfMsUboUp16L-27zsvQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Joseph Bonneau <jbonneau@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/760egDijmXU8h_LryERhzxwgmU4
Cc: Warren Kumari <warren@kumari.net>, "trans@ietf.org" <trans@ietf.org>, Paul Wouters <paul@nohats.ca>, Ben Laurie <benl@google.com>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 06:34:49 -0000

On Tue, May 13, 2014 at 12:22 AM, Joseph Bonneau <jbonneau@gmail.com> wrote:
>> Is CT intended to be run all the way from the root to the CAs furthest
>> from the root?  I didn't think it was, and if it is, please tell me.
>
> Yes, it is. The goal of CT is that browsers will eventually reject any
> end-entity TLS certificate that doesn't have an SCT. I believe this is true
> regardless of the number of intermediate CAs in the cert's path to a trusted
> root. There's an exception for trust anchors manually added to the browser
> to accommodate private CAs, but essentially all certificates that standard
> browsers will accept out of the box must be logged.

Ah, yes, and actually we should want the same for DNSSEC.  The problem
then becomes privacy.  But I think we can achieve that by not logging
names, just hashes of the relevant RRsets, no?  Since public keys will
generally be part of the relevant RRsets this won't help zone
enumerators.

Nico
--