IETF Logo Mail Archive

[Trans] Question about PRIVATE option (Ticket #1)

Rick Andrews <Rick_Andrews@symantec.com> Mon, 10 March 2014 18:59 UTC

Return-Path: <Rick_Andrews@symantec.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5DBB1A04AA for <trans@ietfa.amsl.com>; Mon, 10 Mar 2014 11:59:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.447
X-Spam-Level:
X-Spam-Status: No, score=-7.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qxO3CEj0oP_z for <trans@ietfa.amsl.com>; Mon, 10 Mar 2014 11:59:05 -0700 (PDT)
Received: from tus1smtoutpex02.symantec.com (tus1smtoutpex02.symantec.com [216.10.195.242]) by ietfa.amsl.com (Postfix) with ESMTP id 924391A03FC for <trans@ietf.org>; Mon, 10 Mar 2014 11:59:05 -0700 (PDT)
X-AuditID: d80ac3f2-b7f148e000002108-1b-531e0b741792
Received: from tus1opsmtapin02.ges.symantec.com (tus1opsmtapin02.ges.symantec.com [192.168.214.44]) by tus1smtoutpex02.symantec.com (Symantec Brightmail Gateway out) with SMTP id EA.37.08456.47B0E135; Mon, 10 Mar 2014 18:59:00 +0000 (GMT)
Received: from [155.64.220.139] (helo=TUS1XCHHUBPIN03.SYMC.SYMANTEC.COM) by tus1opsmtapin02.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <Rick_Andrews@symantec.com>) id 1WN5Pg-00033c-2d for trans@ietf.org; Mon, 10 Mar 2014 18:59:00 +0000
Received: from TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM ([155.64.220.147]) by TUS1XCHHUBPIN03.SYMC.SYMANTEC.COM ([155.64.220.139]) with mapi; Mon, 10 Mar 2014 11:58:50 -0700
From: Rick Andrews <Rick_Andrews@symantec.com>
To: "trans@ietf.org" <trans@ietf.org>
Date: Mon, 10 Mar 2014 11:58:48 -0700
Thread-Topic: Question about PRIVATE option (Ticket #1)
Thread-Index: Ac88ksUw1G21Wc8fQ06I7Z8O18YFxg==
Message-ID: <544B0DD62A64C1448B2DA253C011414607C70EAF9E@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_544B0DD62A64C1448B2DA253C011414607C70EAF9ETUS1XCHEVSPIN_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplkeLIzCtJLcpLzFFi42I5sOKajm4Jt1ywQddnbou1jy+yODB6LFny kymAMYrLJiU1J7MstUjfLoErY9LLU+wFPUIVq5feZ21g3MjfxcjJISFgIvHp0zNWCFtM4sK9 9WxdjFwcQgIfGCVW7N3MBJIQEvjPKHF+njREYhWjxOb2XcwgCTYBPYktj6+wg9giAqoSn++3 gDWwANn/1rezgdjCAkYS0/fOYYGoMZc4+OUtM4StJ7HifwtjFyMHB69AlMS6TkOQMCPQEd9P rQEbwywgLnHryXwmiOMEJJbsOc8MYYtKvHz8jxWiXlTiTvt6Roj6fImPm56DxXkFBCVOznzC MoFReBaSUbOQlM1CUgYR15FYsPsTG4StLbFs4WtmGPvMgcdMyOILGNlXMcqUlBYbFueW5JeW FKRWGBjpFVfmJgKjJlkvOT93EyMwcm5wHf60g/HGUsVDjAIcjEo8vJu/ygYLsSaWAVUeYpTg YFYS4W35DRTiTUmsrEotyo8vKs1JLT7EKM3BoiTOuyR9RZCQQHpiSWp2ampBahFMlomDU6qB UWCb+uqAmoAtH97W6llc3fjQ99rt2oDTPT46RklLnntefWi+/mxywjsVm7ismj1uPN+6Fx4x +MNSJtDr3b8k2m/pskOcHldiPr3qYp6W9u966dGIe5vFJi7cqvY0p9jOoaK2sf7Ztp54mR7x +9dUc6TOey/5bleZvYcrpeuz89VpPzct/5qxVImlOCPRUIu5qDgRAHwU2gOYAgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/FA9IKrTnD7wLcq8BJDpmsQHDg9M
Subject: [Trans] Question about PRIVATE option (Ticket #1)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 18:59:08 -0000

Regarding Issue #1: http://tools.ietf.org/wg/trans/trac/ticket/1# "Need options for avoiding logging private subdomains", I think the design is not yet complete.

I understand how this works when my customer has chosen the precert delivery option (I mask the second level domain in the precert that I send with the add-pre-chain command).

But if my customer has chosen to deliver SCTs via OCSP staple or TLS extension, and they want to keep their subdomain private, what do I do? I'm going to sign the cert without SCTs in it, but if I log it via an add-chain command, the subdomains will be visible in the log.

-Rick

v2.23.0 | Report a Bug | By Email