Re: [Trans] [saag] draft-iab-crypto-alg-agility-00

Ben Laurie <benl@google.com> Tue, 08 April 2014 14:08 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77B031A03F6 for <trans@ietfa.amsl.com>; Tue, 8 Apr 2014 07:08:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.651
X-Spam-Level:
X-Spam-Status: No, score=-1.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dt10lSelvYqZ for <trans@ietfa.amsl.com>; Tue, 8 Apr 2014 07:08:19 -0700 (PDT)
Received: from mail-vc0-x22e.google.com (mail-vc0-x22e.google.com [IPv6:2607:f8b0:400c:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 460741A03FB for <trans@ietf.org>; Tue, 8 Apr 2014 07:08:12 -0700 (PDT)
Received: by mail-vc0-f174.google.com with SMTP id ld13so781733vcb.5 for <trans@ietf.org>; Tue, 08 Apr 2014 07:08:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=WOHk3q3zeh+/RuxLpGOaX/FppL+U8P5eXCPlclEEoGo=; b=Pj1OAJ6Maualo6g1NZJ7+dK+TAKgdPINu32DilWyFjJnEdGfVeJp7cSHP2l+/+Wrrl BHjP25Yhf4GEmjnoFOGdSDxGGYpKueKo4ABsznvkqPL2+DGvBekG8892pIGpwzXYOyhn 6b871w642AHhR3EwSs/0vfmhAZHeEx4fDxNi3I2ygHI8DAq7fNDsfOfQ5Ksq4sPcZCiZ J7wtKCcEca7KAvshyDb+svOtPWw3mQpds24tddpYwJmXgEKSiMczEyNFd+EqxzYSy/6K hHeMxpbPTiEU01Qu8nk6v7CEhma1JqN1yZbXo+4m+Q6OfRd+Q7mNw8en1lafVbR3MHgP /siA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=WOHk3q3zeh+/RuxLpGOaX/FppL+U8P5eXCPlclEEoGo=; b=mhsNdeIT6x9hf56dAGfQZMGuni5QjsfRV82MZP+DKOYezHibNpkM8CE3TvQY+6+QcF jJ3Anc46jYeNZWGiPVDZ7Sy/29AI7h7bCHiMDPsjr9bUp+lfJ6sbMLJPY4EkRMsNRqUz P897qiy52vBYLzBMCDrX5phDiAW8Fjx+SVR8/9aTqEVccva3euMB5ajWpZkeYM94PX5Q QwQry7O9FWwf9uY8ldtxxaDrZWuhgm9yE8zdIFs8asp3BPWbibFW41c4G3IkrWu9A0zb xxO36K6DjZJ8qwjKVdYloYkodJbokuAfnwswidg23xfEdyP+clTLpVmZE4Zl+6yxTBZj UiIA==
X-Gm-Message-State: ALoCoQk8heoZPwS3U04pRLwsDxENbFdwe1Cfj/kK3DCA4V0z1qiqH8PpqtEP6P+WoSex2SXxBzUjgnO0ltxqXxljz3F0jruanttilor0SKj2Ofi+8G5mdW+aGucufMhjRuKK9xQ23/8MXCzfwxrNyvvt+gPkY2+YF/GmJo+sfk9hPbmE1FZbgnwCuXrkRLWxlG10y/s8Qhhc
MIME-Version: 1.0
X-Received: by 10.58.31.136 with SMTP id a8mr3601978vei.20.1396966091996; Tue, 08 Apr 2014 07:08:11 -0700 (PDT)
Received: by 10.52.119.179 with HTTP; Tue, 8 Apr 2014 07:08:11 -0700 (PDT)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C7120AC18663@USMBX1.msg.corp.akamai.com>
References: <5999195E-9073-4649-A224-BF71BA61CBAF@vigilsec.com> <CAG5KPzzqSQ++YpQcnYesecL0GQ0+J0ieMXBrNk6txMAC58xEQQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120A04EBD0@USMBX1.msg.corp.akamai.com> <6.2.5.6.2.20140406121529.0bd2d730@resistor.net> <2A0EFB9C05D0164E98F19BB0AF3708C7120A04EBD7@USMBX1.msg.corp.akamai.com> <CAG5KPzxihe+k0x0njC+BANacmrrQyfU5RAY_EYcMYW2rx8DZfw@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED14@USMBX1.msg.corp.akamai.com> <CAG5KPzzzmJhcPfs0cJuS3f8Lu_Rua9dj0XWaOZ0RQ0Mwyd+egw@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120AC18663@USMBX1.msg.corp.akamai.com>
Date: Tue, 8 Apr 2014 15:08:11 +0100
Message-ID: <CABrd9SQaGTFzRaaxs7HNJ7uD_Bb=qPtCtTTsu-ZFYh+QAduzsg@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/9XC_j8YjYlX6RDndjjS9IIuKuIQ
Cc: "trans@ietf.org" <trans@ietf.org>, Ben Laurie <ben@links.org>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [Trans] [saag] draft-iab-crypto-alg-agility-00
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 14:08:20 -0000

On 7 April 2014 20:08, Salz, Rich <rsalz@akamai.com> wrote:
> So the concern is log servers that are going to reserve the right to "go rogue" by using weak crypto that could be subverted?  Or is there a different concern?

Right, that's the concern.

> I believe this can be addressed by leaving the data formats future-proof, but mandating the crypto in the RFC. For example, put a hash identifier (OID, TLS id, whatever) in the hash entry, but the RFC says "MUST use SHA-256."  To make it even stronger, you could set up an IANA registry. Being pragmatic, nobody's going to implement anything other than what Chrome supports, at least at first. And by making log data self-identifying, you can (quietly) perform experiments on new crypto types.

As I responded to Steve, I agree that there should be an identifier,
but it belongs in the metadata about the logs. The RFC does not (and
arguably should not) specify how logs get that metadata, nor what
format it is in.

>
>         /r$
>
> --
> Principal Security Engineer
> Akamai Technology
> Cambridge, MA
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans



-- 
Certificate Transparency is hiring! Let me know if you're interested.