IETF Logo Mail Archive

Re: [Trans] Another Question about the PRIVATE option (Ticket #1)

Ben Laurie <benl@google.com> Tue, 18 March 2014 16:22 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B13D91A06D4 for <trans@ietfa.amsl.com>; Tue, 18 Mar 2014 09:22:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.926
X-Spam-Level:
X-Spam-Status: No, score=-1.926 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0baavP0q5h0 for <trans@ietfa.amsl.com>; Tue, 18 Mar 2014 09:22:20 -0700 (PDT)
Received: from mail-vc0-x22f.google.com (mail-vc0-x22f.google.com [IPv6:2607:f8b0:400c:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id A3E121A0476 for <trans@ietf.org>; Tue, 18 Mar 2014 09:22:20 -0700 (PDT)
Received: by mail-vc0-f175.google.com with SMTP id lh14so7493773vcb.20 for <trans@ietf.org>; Tue, 18 Mar 2014 09:22:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vLQFsDAy403mMXiFpkMKMFvoN7A/aXHRORiJZT8p3Ew=; b=B8M/J/Cmq0ta69F6UIEg2wShNAroCK4ocjtC6H5AUnFQBQjOXcWJmjng6NWkIaAI4u 7yJOEDr/r98Y1NxpwxxcciJVHmsnWOpXcbdsdtbbbjRjR9/VtQ5Kwyc7o5oAJ8y6gcT2 6CWDgNkv7xa4PDzuqpk8xpC3WwSGUZrNGrjB4nilz4s/5c/BvcN7JGO6t1PFn2qPDbY+ 5NobEXvMf44QVf14/osmpDVrnSSe3PJzvdPXWadssPeVzl1uoC5hISIcBHV56xHcLBkx Qm6F73lfajjiu7pqffC0EOgrHxnEo2jLwJyAoLznK71oN+LcAu4CNzJYQttq8IPxLr8t tCNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=vLQFsDAy403mMXiFpkMKMFvoN7A/aXHRORiJZT8p3Ew=; b=SmLsxtLXImQxLyVLG6lE/7YIv09U6VJsdbIDkhP0XS9SPGunPZoeuPmqxyK4GdaHov 60UJZttsDmOEmeBtGMKVA2DN9hetbMhl2HjTgcbm+Z7yjnQnBpo9/JS5oNqoGxQcmFy1 IbOcVb4m9uaR4l+w2d+y0SeWQE3pwj9neWr9t6A7cmyVTOGUpKXhDvmG8+lyNGNsBjRr TsUlH8h0gyXT2Usrn4VY2/8uzeiDBAoTwoHWFnWa2tI5NOFhqxRrfOoL0xByl8d2pmYM y2tN3tFZUAYz6KSupf90tQ1yali8GdPdz5aHsmyxNZm61mBunkpSKBV2dcxpQJgwAuLL 41iw==
X-Gm-Message-State: ALoCoQlrzGxsb3EfKlJrgKArszSgC8zMTeJZQvwmebxogi/iV05lGRF+stg3TUSUs51T0purj8egEC8oxPCiyEi+AKTWED5ePgGH/U0k/HMPDcvK8Sx2xZF4byU1YO1Cm/p+tyLqZU2Awc87yM8th1hSZUlvec6UTxe+7e4Yps0ktxzYYftSoCGfk4GbzBVRalZPUDuWzNtn
MIME-Version: 1.0
X-Received: by 10.58.221.102 with SMTP id qd6mr922171vec.47.1395159732126; Tue, 18 Mar 2014 09:22:12 -0700 (PDT)
Received: by 10.52.230.105 with HTTP; Tue, 18 Mar 2014 09:22:12 -0700 (PDT)
In-Reply-To: <53286F24.5080407@fifthhorseman.net>
References: <544B0DD62A64C1448B2DA253C011414607C70EAF9E@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <531EE6A6.7000007@comodo.com> <544B0DD62A64C1448B2DA253C011414607C77BCCBE@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <53204F9E.7000507@comodo.com> <CALzYgEf-=7+XpBYgV-+0ijq-whRsn9gam7AELERZfof-TJ5uEg@mail.gmail.com> <53217E29.7040004@comodo.com> <544B0DD62A64C1448B2DA253C011414607C7DAA2CF@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SQONqLvemGtfy6WpyVQEN5Wuq8otFpjA2nKTirF6Z_5Qw@mail.gmail.com> <CAMm+Lwhy+ArnJhY-SjkbPtbZgPfDyZ4LkQ82mNJrvSO7jZr3Bw@mail.gmail.com> <53286F24.5080407@fifthhorseman.net>
Date: Tue, 18 Mar 2014 16:22:12 +0000
Message-ID: <CABrd9STuCQdzbWduJ9TOJ3xbCg4vSKw3sPGR50uo4L-3KqVxgg@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/AxNIOjj343e1dZJoah66Pe3pbE8
Cc: "trans@ietf.org" <trans@ietf.org>, Phillip Hallam-Baker <hallam@gmail.com>, Rick Andrews <Rick_Andrews@symantec.com>
Subject: Re: [Trans] Another Question about the PRIVATE option (Ticket #1)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 16:22:22 -0000

On 18 March 2014 16:07, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> On 03/18/2014 08:02 AM, Phillip Hallam-Baker wrote:
>
>> Unfortunately it is focused mostly on fixing cookies which is trying to fix
>> stupid which is never going to produce a sensible result. But there is
>> already a zone prefix list used for issue of wildcard certs.
>>
>> The problem of <private>.<domain>.foo.com looks to me to be the same as the
>> problem of *.<domain>.foo.com.
>>
>> *.uk would be a bad thing...
>
> the CABForum guidelines split "registry-controlled" zones from the next
> level of labels using http://publicsuffix.org/, though they acknowledge
> that this is not a scalable long-term solution and something else needs
> to be done eventually (see section 11.1.3):
>
> https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_1_6.pdf
>
> This idea of a "natural split" between public registries and private
> zones is appealing, because of the tradeoffs between auditability and
> resistance to zone enumeration.  The entities closer to the root of the
> hierarchy need to be audited, since they have power over the leaves; the
> entities nearer to the leaves have less power, little or no
> responsibility delegated to them from third-parties, and possibly more
> legitimate need for hiding individual zone entries or avoiding enumeration.
>
> So how would this work in CT?  if i'm an admin for the example.com zone,
> i'd want to monitor the logs for any entries matching:
>
> a) <PRIVATE>.com
> b) example.com
> c) *.example.com
> d) <PRIVATE>.example.com
>
> if any of b, c, or d are observed which were not issued from within my
> authority, i now have proof of misissuance, and can take the issuing CA
> to task.

Right.

> But if (a) is observed from monitoring the log, what can the site
> operator do?  Do we declare that (a) is indication of log misbehavior?

Surely not - this, again, is misissuance (or misreporting by the CA,
if you prefer). i.e. the CA should be taken to task. The log does not
judge, it merely records.

> if so, then we need to also consider that CT-aware TLS clients need to
> be able to identify SCTs of the (a) form and report them publicly
> somehow, so that log misbehavior is known.

See above. I think these two cases are different.

> presumably, this would be
> the same mechanism used to report an SCT that didn't show up within the
> MMD, right?  is there a reporting mechanism defined?

Currently, only Chrome is implementing CT as a client (to our
knowledge) and so I guess the appropriate recipient of such a report
would be Google. We have not yet defined a way to do this, but
anticipate that Chrome will offer to do it when appropriate.

Another option might be the CA/B Forum.

v2.23.0 | Report a Bug | By Email