Re: [Trans] [saag] draft-iab-crypto-alg-agility-00

Phillip Hallam-Baker <hallam@gmail.com> Wed, 09 April 2014 00:49 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE3A91A074B; Tue, 8 Apr 2014 17:49:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_42=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zdF6atps0HeQ; Tue, 8 Apr 2014 17:49:31 -0700 (PDT)
Received: from mail-bk0-x22c.google.com (mail-bk0-x22c.google.com [IPv6:2a00:1450:4008:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 0C4F91A0192; Tue, 8 Apr 2014 17:49:30 -0700 (PDT)
Received: by mail-bk0-f44.google.com with SMTP id mz13so1640496bkb.3 for <multiple recipients>; Tue, 08 Apr 2014 17:49:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8LOIVsN/+D8j127nMPTBFGSuEqyGAQR8QAnOM8hR4L4=; b=VzFIw3k4QV0jNUPQGDIdTT9XID7V8cAmjWku1vUXm7xxBpLTYdYGKxCyKXiRNbahe4 5gks2Sw8l6VMZco/gNlGKmgOVCExfG7VdEtuYBWadTCJG1yDK2/ZxAOAsIiSD/gRO2Rq 8Xmaaui1U5yodRgQdjGXLpGb4+XrAYclP+2ZUjl5TVpZ7ie9JS9bCmzDBEM00Z/jGP0g FjSMC4NQUyXTorWKOnQLG6BGcV/Dd08yoC3moC0WuG22UWP3FoR9d5fENqO7PE4qCsnv ehmZOmL65JCuHjFGWcouTfaYpcSJldpKShKTOb+9Z6hq2PS7+RaejSfCnD3axARLhBi9 I5kA==
MIME-Version: 1.0
X-Received: by 10.112.150.233 with SMTP id ul9mr4854444lbb.2.1397004570250; Tue, 08 Apr 2014 17:49:30 -0700 (PDT)
Received: by 10.112.234.229 with HTTP; Tue, 8 Apr 2014 17:49:30 -0700 (PDT)
In-Reply-To: <CADqLbzK=gC7Lv3bkS33i=3x2sM1rTWrT_DejryTcBTTM97uQHQ@mail.gmail.com>
References: <5999195E-9073-4649-A224-BF71BA61CBAF@vigilsec.com> <CAG5KPzzqSQ++YpQcnYesecL0GQ0+J0ieMXBrNk6txMAC58xEQQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120A04EBD0@USMBX1.msg.corp.akamai.com> <6.2.5.6.2.20140406121529.0bd2d730@resistor.net> <2A0EFB9C05D0164E98F19BB0AF3708C7120A04EBD7@USMBX1.msg.corp.akamai.com> <CAG5KPzxihe+k0x0njC+BANacmrrQyfU5RAY_EYcMYW2rx8DZfw@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED14@USMBX1.msg.corp.akamai.com> <CAG5KPzzzmJhcPfs0cJuS3f8Lu_Rua9dj0XWaOZ0RQ0Mwyd+egw@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120AC18663@USMBX1.msg.corp.akamai.com> <CABrd9SQaGTFzRaaxs7HNJ7uD_Bb=qPtCtTTsu-ZFYh+QAduzsg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120AC188A7@USMBX1.msg.corp.akamai.com> <CABrd9SQpaDn=FWCtpRxOprt1nus_Fbg6a9dpbDrdjoWi=H8NBg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120AC188BB@USMBX1.msg.corp.akamai.com> <CABrd9SRjvexZb5-qo_PsQNLu9BSxbH1zUOCYtomzutXF68j2ZA@mail.gmail.com> <CADqLbzK=gC7Lv3bkS33i=3x2sM1rTWrT_DejryTcBTTM97uQHQ@mail.gmail.com>
Date: Tue, 8 Apr 2014 20:49:30 -0400
Message-ID: <CAMm+LwiW-nweMwnVUoLOUoAfWaQKjbws9tw20oma0GM=XahgQg@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Dmitry Belyavsky <beldmit@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/Cr8V4IUP2HBok7X_bByR3DdtGNE
Cc: "Salz, Rich" <rsalz@akamai.com>, "trans@ietf.org" <trans@ietf.org>, Ben Laurie <benl@google.com>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [Trans] [saag] draft-iab-crypto-alg-agility-00
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 00:49:33 -0000

Since TRANS is joined to X.509 at the hip, how about we just shovel
all the metadata describing the configuration of the notary into the
certificate that signs the notary log outputs periodically?

I am assuming here that the signing hierarchy for the log has an
offline key that periodically signs the online key. The cert for the
online key can specify the notary algorithm by OID (its ASN.1 after
all) and any other parameters that might be useful. Probably want to
allow for different accumulation strategies in case we ever decide a
binary tree isn't the only choice. Might have some other options.
Might want to be able to specify the CPS/CP equivalents for the
notary, etc.



On Tue, Apr 8, 2014 at 10:28 AM, Dmitry Belyavsky <beldmit@gmail.com> wrote:
> Hello Ben,
>
>
> On Tue, Apr 8, 2014 at 6:21 PM, Ben Laurie <benl@google.com> wrote:
>>
>> On 8 April 2014 15:18, Salz, Rich <rsalz@akamai.com> wrote:
>> >> > I do not understand why metadata is more secure then the data itself.
>> >
>> >> It is created by a different authority.
>> >
>> > ?  Is this in the part of the RFC that is still TBD?
>>
>> The RFC describes how logs work and how clients work. It does not
>> describe how clients decide what logs they are prepared to accept. I
>> am not sure it should.
>>
>> But whoever does also decides whether the algorithms in use by the
>> logs are acceptable and tells the client what those algorithms are
>> (along with other things, like the log's key, base URL and MMD).
>>
> I think that the client should be able to find out the algorithm used by log
> because it cant'be changed during the log lifetime. And if the RFC specifies
> the URIs for certificate submit, it seems to me that it's reasonable to
> specify the URI for finding out the algorithm. But I prefer to leave out of
> band of the protocol only the data that can't be passed using it.
>
> Thank you!
>
> --
> SY, Dmitry Belyavsky
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>



-- 
Website: http://hallambaker.com/