Re: [Trans] Precertificates and revocation
Erwann Abalea <eabalea@gmail.com> Fri, 20 September 2019 18:03 UTC
Return-Path: <eabalea@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82E2A1208AA for <trans@ietfa.amsl.com>; Fri, 20 Sep 2019 11:03:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FUZZY_CPILL=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ynwn-Sr8Gu99 for <trans@ietfa.amsl.com>; Fri, 20 Sep 2019 11:03:46 -0700 (PDT)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD93B120099 for <trans@ietf.org>; Fri, 20 Sep 2019 11:03:45 -0700 (PDT)
Received: by mail-oi1-x22c.google.com with SMTP id i185so2493810oif.9 for <trans@ietf.org>; Fri, 20 Sep 2019 11:03:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HCVJ9CTJHxUmd+QlXHmtDbgQg3EVae/I3dzZ7IkbAqI=; b=gJ8iuqm7h2q/bEmZRcwQ1xktgdxklJ08AOvloy/3e9lXIMqjCKlW5goUOsQfGRtc+R Vx61WlSgNjWt3cOaHAIJbjI3bxjezVrqYu/ZAM2823/Bl6GYiIT8hB5GsycLw9YvSHVW wyZSY+f+mMWHaaBHgmfkWXSUNbsILKQcQ+wKpjugOot6kJ1v2pnC9HzPVdJ7otR8Yi6q Q+RqfVUpcQBwxT9GJ0W6peeUFAwq4R2hnYLWtaxBASmEK9Vt5kQSSNQewUyJg9isxXqK KDdz6MFDBa/Sl0VP7tw9m93+pATx6sujnCpm3k65SeTQRJ7wvQR7ch2KhPVKD6lTQgOA V6Ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HCVJ9CTJHxUmd+QlXHmtDbgQg3EVae/I3dzZ7IkbAqI=; b=OrPpXhBYOHImSwB3hl+apMupSnY6AgMwlxMKcygXQH+wEz9yBQUcYyB+YuaXI3nzGg 6+l8W144so3rXoT1SgDNXmcDEjc7NQTur3MkHNeeEUfS7mFpjPtlhw7m0KszHpTfcxHy QmmJDTZ+8I2Dre17XCTFThLffHmSijoX+H9REElVlnXuaKU0tlJs8BeFAtlaCrf6/5vJ WC1RO6Cj4BNpjbdvFR4AaGDUQ9A03oAPKycW4qu6LAetOiX5dJmSh1Ykk82QN8e/OoU1 0JQ/sz2ptUs7L7xacTqApJy6/UczAOdtCf+oWh7cmjxqg6dRY2GpfHdC7U/BoVupTXTJ psiw==
X-Gm-Message-State: APjAAAU4hVsw5ZmGCiw5ivttkyFgHlQOBt9FuKR0aHEPdv5ee+q1U08C whKSo2H1WKt7hA1OfU09LjXFnHurcfBtrY82a0Wmig==
X-Google-Smtp-Source: APXvYqydS9WhIu7mi2zpx2ARCIp/uiedP6iWhHnWhYit8zz822aoNEf+wL2ITMAJnucBHhggollhrwrugKIeyNKO9tk=
X-Received: by 2002:aca:cc0b:: with SMTP id c11mr3870528oig.169.1569002624780; Fri, 20 Sep 2019 11:03:44 -0700 (PDT)
MIME-Version: 1.0
References: <20190916100800.5b62d43c0f28e30269f41b7a@andrewayer.name> <21a9ea1e-124b-3bf2-72f5-4dc755d4061b@sectigo.com>
In-Reply-To: <21a9ea1e-124b-3bf2-72f5-4dc755d4061b@sectigo.com>
From: Erwann Abalea <eabalea@gmail.com>
Date: Fri, 20 Sep 2019 20:03:33 +0200
Message-ID: <CA+i=0E74Obi+Q=H_km9MFKzMBUTsjxRKt2-XxpJuf60Bz+99mw@mail.gmail.com>
To: Rob Stradling <rob@sectigo.com>
Cc: "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001a0f690592ffe441"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/95sM9D9EHsjLT7YoVg3wxXR8TwI>
Subject: Re: [Trans] Precertificates and revocation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2019 18:03:49 -0000
In the case of a precert subordinate CA, the CRLDP and AIA:ocsp will contain the URLs of the real CA (the one that issued the precert sub CA). How is it supposed to work? In a CTv1 world. Le ven. 20 sept. 2019 à 15:52, Rob Stradling <rob@sectigo.com> a écrit : > [This topic came up on mozilla.dev.security.policy recently. Although > the focus there is on the currently deployed CT v1 ecosystem, ISTM that > TRANS should consider if/how CT v2 (6962-bis) should address the same > issue] > > How should revocation servers behave when a precertificate exists but > the corresponding certificate has not yet been (or will never be) issued? > > Should it be possible to revoke a precertificate when the corresponding > certificate has not been issued? > > In RFC6962, precertificates are X.509 certificates, and so it's not > unreasonable to expect OCSP responders to be able to provide their > status. However, 6962-bis precertificates are not X.509 certificates, > which I think changes what might or might not be a reasonable expectation. > > Andrew points out (see forwarded message below) that outside observers > have to assume that a certificate has been issued when they see a > corresponding precertificate (since the presumed-to-exist certificate > may never be submitted to a log), and that outside observers will expect > CAs to operate revocation services for the presumed-to-exist certificates. > > Back to CT v1: Mozilla now requires [1] that... > "- A CA must provide OCSP services and responses in accordance with > Mozilla policy for all certificates presumed to exist based on the > presence of a Precertificate, even if the certificate does not actually > exist > - A CA must be able to revoke a certificate presumed to exist, if > revocation of the certificate is required under Mozilla policy, even if > the certificate does not actually exist." > > ISTM that we should address this topic in 6962-bis somehow, but what do > folks think we could say without straying into "policy"? > > > [1] > > https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates > > > -------- Forwarded Message -------- > Subject: Re: DigiCert OCSP services returns 1 byte > Date: Mon, 16 Sep 2019 10:08:00 -0700 > From: Andrew Ayer <agwa@andrewayer.name> > To: Rob Stradling <rob@sectigo.com> > CC: dev-security-policy@lists.mozilla.org > > On Fri, 13 Sep 2019 08:22:21 +0000 > Rob Stradling via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > Thinking aloud... > > Does anything need to be clarified in 6962-bis though? > > Yes, it's long past time that we clarified what this means: > > "This signature indicates the CA's intent to issue the certificate. This > intent is considered binding (i.e., misissuance of the precertificate is > considered equivalent to misissuance of the corresponding certificate)." > > The goal is that a precertificate signature creates an unrebuttable > presumption that the CA has issued the corresponding certificate. If a > CA issues a precertificate, outside observers will treat the CA as if > it had issued the corresponding certificate - whether or not the CA > really did - so the CA should behave accordingly. > > It's worth explicitly mentioning the implications of this: > > * The CA needs to operate revocation services for the corresponding > certificate as if the certificate had been issued. > > * If the corresponding certificate would be misissued, the CA will be > treated as if it had really issued that certificate. > > Are there any other implications that 6962-bis should call out > explicitly? > > Regards, > Andrew > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans > -- Erwann.
- [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Ryan Sleevi
- Re: [Trans] Precertificates and revocation Erwann Abalea
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Eran Messeri
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Eran Messeri
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Paul Wouters