Re: [Trans] Proposal to modularize pre certificate transformation
Andrew Ayer <agwa@andrewayer.name> Mon, 27 March 2017 22:39 UTC
Return-Path: <agwa@andrewayer.name>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2764412966F for <trans@ietfa.amsl.com>; Mon, 27 Mar 2017 15:39:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewayer.name
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vpg7YkiQOzs2 for <trans@ietfa.amsl.com>; Mon, 27 Mar 2017 15:39:09 -0700 (PDT)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [70.85.129.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98399126BFD for <trans@ietf.org>; Mon, 27 Mar 2017 15:39:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=beanwood20160511; t=1490654348; bh=DPmkXQDWDU/aCpZ4frImUQAbn1vb2QGWoEsYOqntUrM=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=nD+n7co93qRxUtV0gLzX3uID0KeosiD6mKj7iBGfnLD9AUmHkmybwgYL7q8wc8rZs y+QJh79If0yUuHUKMKSDpuSiYfECaBfAAoD+QQcK96y5YWcHfKEL8MAqT0whvXSctT ImD5zPcJx1UmTe1fOvP1EO/CnaN796k9qLLZ2g+BHi1MCNNmq1OF896dH66JADwoeh FInm19qKavayWUjfOFBJVcaDpZeeEPvDwLOgFPrHW+MG+AzrYsvUC3D15q/+a81koS ZVeDBy4lQwLipXljM8AD/XI4Nvl1KQ3k3zNOUkfnyAtFgGzXXy/X9DWUIRtP9vMR1V YVi52eqn+IxnA==
Date: Mon, 27 Mar 2017 15:39:07 -0700
From: Andrew Ayer <agwa@andrewayer.name>
To: Tarah Wheeler <Tarah_Wheeler@symantec.com>
Cc: "trans@ietf.org" <trans@ietf.org>
Message-Id: <20170327153907.435444debbebff6d9a08f95b@andrewayer.name>
In-Reply-To: <D4F8495D.4F2D%tarah_wheeler@symantec.com>
References: <D4F8495D.4F2D%tarah_wheeler@symantec.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/D__ghRIF9fvmp3hIjz6IR1GocPU>
Subject: Re: [Trans] Proposal to modularize pre certificate transformation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 22:39:11 -0000
On Wed, 22 Mar 2017 19:31:43 +0000 Tarah Wheeler <Tarah_Wheeler@symantec.com> wrote: > Peter Bowen and I have been collaborating on a possible solution for > certificate privacy. Thoughts? Hi Tarah and Peter, Your proposal is very similar to the original redaction mechanism that existed in draft-ietf-trans-rfc6962-bis-16, the main differences being your proposal also supports IP address redaction and solves the multiple-certs-per-precert problem. Like the original redaction mechanism, your proposal imposes a high complexity cost on TLS clients by forcing them to do a lot of decoding and re-encoding of a certificate in order to reconstruct the pre-certificate. This problem was discussed here: https://mailarchive.ietf.org/arch/msg/trans/WU_XveDh0GmyyiQbmqEr1SVuC84 https://mailarchive.ietf.org/arch/msg/trans/eOHPqmAskBXMrGzSJAFzT9dzwOQ It led to the solution in draft-ietf-trans-rfc6962-bis-17 (now in draft-strad-trans-redaction-00), described here: https://mailarchive.ietf.org/arch/msg/trans/gGWZhqCXG0wlkktB_d0a2fPM4VU I think that any new redaction proposal should address the problem of client complexity at least as well as draft-strad-trans-redaction-00 does. Regards, Andrew
- [Trans] Proposal to modularize pre certificate tr… Tarah Wheeler
- Re: [Trans] Proposal to modularize pre certificat… Melinda Shore
- Re: [Trans] Proposal to modularize pre certificat… Peter Bowen
- Re: [Trans] Proposal to modularize pre certificat… Melinda Shore
- Re: [Trans] [EXT] Re: Proposal to modularize pre … Tarah Wheeler
- Re: [Trans] Proposal to modularize pre certificat… Andrew Ayer
- Re: [Trans] Proposal to modularize pre certificat… Peter Bowen
- Re: [Trans] Proposal to modularize pre certificat… Eran Messeri