IETF Logo Mail Archive

[Trans] Summary of DISCUSS items for draft-ietf-trans-rfc6962-bis

Roman Danyliw <rdd@cert.org> Mon, 24 February 2020 20:44 UTC

Return-Path: <rdd@cert.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D3E43A12C5 for <trans@ietfa.amsl.com>; Mon, 24 Feb 2020 12:44:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BTrfpNOpPthb for <trans@ietfa.amsl.com>; Mon, 24 Feb 2020 12:44:37 -0800 (PST)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC7423A12C7 for <trans@ietf.org>; Mon, 24 Feb 2020 12:44:37 -0800 (PST)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 01OKiajm037546 for <trans@ietf.org>; Mon, 24 Feb 2020 15:44:36 -0500
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 01OKiajm037546
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1582577076; bh=QzcyGeDkekvvqavViadq6gqgBxpLZG+sZsS7dsIHY1w=; h=From:To:Subject:Date:From; b=AMW1+mK5tzDjUCeCpA6SJ69suIrTzwqzXDfAEAfS/XRVgivhR7Nzf8UolHq/LKHre /PGuhWptbTMimrrl/K/b0Y/ssY5iXqSGPv942InNMhxGnIwFUDxhIdD8GlVJeNPU84 D2JrK0VYXrupjcJuWbjoB1Nhd3GK3H9Hi4L2H0Mg=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 01OKiYmp038470 for <trans@ietf.org>; Mon, 24 Feb 2020 15:44:34 -0500
Received: from MARCHAND.ad.sei.cmu.edu ([10.64.28.251]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0468.000; Mon, 24 Feb 2020 15:44:34 -0500
From: Roman Danyliw <rdd@cert.org>
To: "trans@ietf.org" <trans@ietf.org>
Thread-Topic: Summary of DISCUSS items for draft-ietf-trans-rfc6962-bis
Thread-Index: AdXrTUfm8XWVAz9CSdW38cgkiAaelg==
Date: Mon, 24 Feb 2020 20:44:33 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC0216F4C1D7@marchand>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/99z1vzydfaF8iwN0a5lOa88Bq4k>
Subject: [Trans] Summary of DISCUSS items for draft-ietf-trans-rfc6962-bis
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 20:44:39 -0000

Hi!

I just balloted YES with a few comments on draft-ietf-trans-rfc6962-bis.  To follow-up on Paul's earlier summary [1], I saw that some discussion has occurred in response to the IESG ballot but wanted to check-in with the authors on the disposition of addressing the remaining DISCUSS items.

[1] https://mailarchive.ietf.org/arch/msg/trans/9zGMHr_Fu1EefWbvthvqSANl3nA/

==[ Ben Kaduk
From: https://mailarchive.ietf.org/arch/msg/trans/2Sc26GMFwQnTRl5DEEk_-51ABFU/

Item #1

Sections 4.11 and 4.12 have arrays of NodeHash to carry consistency and
inclusion proofs, respectively, with minimum array size of 1.  However,
Sections 2.1.4.1 and 2.1.3.1 (respectively) seem to admit the
possibility of zero-length proofs in degenerate cases, which the
aforementioned protocol description language forbids the conveyance of.
(Section 5.3 explicitly requires the use of an empty consistency proof.)
Do those minimum array sizes need to be (implicit) zero?
(If they do not, it seems that a minimum size of 32 would have the same
effect as that of one, since a NodeHash has minimum size 32.)

Item #2

In Section 6:

   o  An Online Certificate Status Protocol (OCSP) [RFC6960] response
      extension (see Section 7.1.1), where the OCSP response is provided
      in the "CertificateStatus" message, provided that the TLS client
      included the "status_request" extension in the (extended)
      "ClientHello" (Section 8 of [RFC6066]).  [...]

This is not quite a TLS 1.3-compliant formulation -- TLS 1.3 does not
use the "CertificateStatus message", but rather uses the encoding of
that structure in a status_request extension in the CertificateEntry.
draft-ietf-trans-rfc6962-bis
===
==[ Mirja Kühlewind
From: https://mailarchive.ietf.org/arch/msg/trans/0R9dKzZ4h2bLQX4pyHqwdA4uVdo/

There was a presentation at maprg IETF 103 about the question 
if CT helps attackers to find new domains. I think this risk should at 
least be mentioned in the security considerations section.

[Roman] Pending review by Mirja.  Section 11.6 was added.
===

==[ Alexey Melnikov
From: https://mailarchive.ietf.org/arch/msg/trans/qiURoDHiWrP1l7X3WY9RRvYrWFg/

5.  Log Client Messages

   type:  A URN reference identifying the problem.  To facilitate
      automated response to errors, this document defines a set of
      standard tokens for use in the "type" field, within the URN
      namespace of: "urn:ietf:params:trans:error:".

I think you need to register this in <https://www.iana.org/assignments/params/params.xhtml#params-1>
===

Regards,
Roman

v2.23.0 | Report a Bug | By Email