Re: [Trans] [trans] #77 (rfc6962-bis): normative client behavior specified in Section 5
Ben Laurie <benl@google.com> Tue, 07 July 2015 13:45 UTC
Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE6FF1A020A for <trans@ietfa.amsl.com>; Tue, 7 Jul 2015 06:45:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.389
X-Spam-Level:
X-Spam-Status: No, score=-1.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NYkjanHTgsLh for <trans@ietfa.amsl.com>; Tue, 7 Jul 2015 06:45:10 -0700 (PDT)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4CD51A8879 for <trans@ietf.org>; Tue, 7 Jul 2015 06:45:10 -0700 (PDT)
Received: by ykeo3 with SMTP id o3so57238562yke.0 for <trans@ietf.org>; Tue, 07 Jul 2015 06:45:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=y6kiYG9xw8NiArHHQw0sqmaSG6oH6HwQNnv2FxFTS/4=; b=LOKhi6p5EMvowRnj6IUlcq4eaORBVbj5nmelvsJEKoi4c7GQEwBWgwMWfI0qgm8Aam Y4u3Ng12EWnG9CLR3angP5eZzlXAQvo6yfoQKCy0AZJg0sjmQHmgrwzNmA6V7b1KoYLu YlSOXY1u38850+aDZLRhjoVKmtgmK/Vo+Qa1CCzybK5Lv3Yq3QJETH4wacFe48xpqRVc UvdeTiROFUzx0GgraRrNdgUoW9F4wDw867iJ5AwS8O5y3vOxa64HYgLTXHPfOHsW0nyW eGhDAGd6vN58loDPVGuCpGM/RTRFUReS1diecyNsmcDmbrsn5HYAaFbXNQpZ+iYBYOMu vmEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=y6kiYG9xw8NiArHHQw0sqmaSG6oH6HwQNnv2FxFTS/4=; b=SYKE5v3Fu99baa/FQ9qU8zgpVDsC4+QoE6Oo5akc98DkmdWjRzPnwK7FS93xV/bnn1 pb2eX7quwdJc+Gv6rWO3knJSmT5MkrKToJptzPv9a5cwNsP4+DWe7iclXryb1hvOCC29 oINREuvCmsqyVKzpc3rQYjQA3f/VJ9lw05cmcLmBXfrOTGp/V/M6sII2SK1A8Q4M4sXt 2+HO0a6z9eUky4fwnV3My6VyN3/BV117DrXDrS/V/Wbj/FXkoO7nl49BDBxk2xtYho9a hHNMtuu7Q2EA4hcA1/Ik1LboEhQIJlvrjVVqPZbOAgjkRAltT2yWbH9Qtmpv8rdI+9yY guAg==
X-Gm-Message-State: ALoCoQl1jP0LkRkFmIL/692BExrPghXYVbK50yLYWc1v207iw05ScoNGQct6H4wTx6QgMcoEMUPM
MIME-Version: 1.0
X-Received: by 10.13.247.3 with SMTP id h3mr5192476ywf.142.1436276710016; Tue, 07 Jul 2015 06:45:10 -0700 (PDT)
Received: by 10.37.8.201 with HTTP; Tue, 7 Jul 2015 06:45:09 -0700 (PDT)
In-Reply-To: <559ACA08.1090609@bbn.com>
References: <052.9d9fc2bb25108f9681efa566967a94e3@tools.ietf.org> <067.905aedf191f612b7a69c90d6d2c8ea46@tools.ietf.org> <559ACA08.1090609@bbn.com>
Date: Tue, 07 Jul 2015 14:45:09 +0100
Message-ID: <CABrd9SQ-7e7zYB51iRdjxMQLQP5+fJwKqTbupFG5QpwHForXQg@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/85lRdTC653U0320nfSVW_1EdhnA>
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] [trans] #77 (rfc6962-bis): normative client behavior specified in Section 5
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 13:45:12 -0000
On 6 July 2015 at 19:33, Stephen Kent <kent@bbn.com> wrote: > I see your point. 6269-bis is mostly a document specifying the > operation and interface to the log. Other parts of the document attempt to > describe how clients interact with the log, but they do so only > superficially. > That's why I believe we need additional document specifying the behavior > of the other elements of the CT system. > > You refer to "the protocol" but don't indicate which protocol you have in > mind. > I might agree that specs for TLS client behavior in the context of TLS > exchanges > are in scope. If so, 6269-bis needs to state that it updates TLS. > > Your interpretation of the WG's agreement to expunge client behavior from > 6269-bis > seems to encompass only the issue of whether a client rejects or accept a > cert > accompanied by a (valid) SCT. That strikes me as rather narrow. > > If a client that claims CT compliance MUST perform a series of checks to > verify > CT compliance of a cert, what does the client do if any of these tests fail? > It's > not useful to require a set of checks to be performed and yet not indicate > what > happens if they fail. If no action is required, then why bother performing > the checks? > If some action is required, or even recommended, then a spec needs to state > what that > behavior is. To restate our position on this: we don't know what clients will do in response to failure to comply with CT, and nor are we in a position to mandate it. We feel it is helpful to provide a mechanism by which the issuance of certificates can be made open to public scrutiny. Clearly adoption of this mechanism does ultimately require that clients behave somehow differently for certificates that do not conform, but we can't dictate what that behaviour is. For example, right now, the only client I know of that reacts to CT is Chrome/Chromium, and the behaviour it (at least for Chrome - Chromium comes in multiple flavours) currently exhibits is that text in some dialogues is changed depending on whether CT is present and meets Chrome's policies or not, and in the display/non-display of the EV indicators for EV certificates. This behaviour has already been through several versions and policy changes, and will continue to evolve - and is not arrived at by IETF consensus, nor will it ever be. So, I don't see how it can be a part of the I-D. > > Steve > >> #77: normative client behavior specified in Section 5 >> >> Changes (bybenl@google.com): >> >> * milestone: => review >> >> >> Comment: >> >> What has been ruled out of scope is what action clients take, not how >> they >> conform to the protocol. >> >> Suggest close wontfix. >> > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans
- [Trans] [trans] #77 (client-behavior): normative … trans issue tracker
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … trans issue tracker
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … trans issue tracker
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Stephen Kent
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Ben Laurie
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Stephen Kent
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Ben Laurie
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Rob Stradling
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Melinda Shore
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Stephen Kent
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Stephen Kent
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Stephen Kent
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Paul Wouters
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Robin Wilton
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Rob Stradling
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Rob Stradling
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … Stephen Kent
- Re: [Trans] [trans] #77 (rfc6962-bis): normative … trans issue tracker