Re: [Trans] Certificate and Precertificate extensions ordering

Ben Laurie <benl@google.com> Thu, 11 September 2014 11:27 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA22E1A0ADC for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 04:27:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.031
X-Spam-Level:
X-Spam-Status: No, score=-3.031 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xjOIMYStgVV6 for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 04:27:16 -0700 (PDT)
Received: from mail-qa0-x235.google.com (mail-qa0-x235.google.com [IPv6:2607:f8b0:400d:c00::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D4691A0719 for <trans@ietf.org>; Thu, 11 Sep 2014 04:27:16 -0700 (PDT)
Received: by mail-qa0-f53.google.com with SMTP id n8so1689476qaq.12 for <trans@ietf.org>; Thu, 11 Sep 2014 04:27:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PuPuxQeOAl/cqrlCyjvP5iFQpcOkyXNqiv8eCf4p/t4=; b=HjlSb+g0RAwA5bbCuX9adUGqWdAMC4bNLwldQCpyy2CSQQKQwXcYkWT1fGgXNpEVrP P23OMDhTVF2v+6rFK3OjqQGCBRKG3SOrHeJazbi+xaXggCWJH8261y2XaMv+1K3Q6Uan BbFgKK/vzMlRc58j+Fsalh1GEZAfD5iaff3UdHOXIYS5ZMMPH7c80TJxxhsKWbS2DgUY TB+n1Bjco78He340z2IIBJj21Hb2IAD4MZST0wphSxjaNcGkv8GmnTaBY40mwMKzGqJp e3UtmdmKzal/+J18lrYyyspNWJYDVGZmAyqEGGRPpJxNR8dW4BAGC9aPWQgRF3lxdQJr cVyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=PuPuxQeOAl/cqrlCyjvP5iFQpcOkyXNqiv8eCf4p/t4=; b=lXGiU+qKRp4Bwx56mBRt9p63rpoBDw+J11Or4ALjPVrx9VLBSRr+K4VQ619Lddxriy VT6E/ODBXoZ+YCnnRaG4lW4yjeQQMwnpjGoTnhUCJnmVrn6vxyiLnos5+DXq5nGOo2Dq hfJwQL81c2Oe5sgYUb0UvWgBCAym50LLioCEMZZpXMhG5rmHw0uy00zleA5uN3sDU7rJ di9HEkAgl/QD555hgutrtEftK0P9LW0/uKF7Ybba1/i6DrUoQL1XIG/bQvXhHcj9NyYx W4/QK91U1IUqfcnK/PbfRhzLX4+3u27kX/tYuXGIxekXXVmxrtmAYB/O+n6GkYbUkCK/ KOsA==
X-Gm-Message-State: ALoCoQlPTEPU21N5RB+VvDxwvbUZ8gCSKH++hxq/hDOUVgYRbeB1UxNt/oIUXx3+qHXWbywBGjRY
MIME-Version: 1.0
X-Received: by 10.140.96.86 with SMTP id j80mr389465qge.106.1410434835688; Thu, 11 Sep 2014 04:27:15 -0700 (PDT)
Received: by 10.229.247.198 with HTTP; Thu, 11 Sep 2014 04:27:15 -0700 (PDT)
In-Reply-To: <541184B7.9070701@comodo.com>
References: <CA+i=0E5o_JEUquZpxhwiVKU3dvDTOHSf0fbeD7Nj7vrDwAkeSw@mail.gmail.com> <CALzYgEcEpegaBt6-w+Y7Hs6EODdHUe=CFA6W=H8Afd9gxZjaSg@mail.gmail.com> <541184B7.9070701@comodo.com>
Date: Thu, 11 Sep 2014 12:27:15 +0100
Message-ID: <CABrd9SRL+O+GUNT2hvc9ysKwjksG0DJ1C7oHHH-8es1npzELnA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Rob Stradling <rob.stradling@comodo.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/GFjFUa0PmFk_7ZadbO4lEyaGXEc
Cc: "trans@ietf.org" <trans@ietf.org>, Eran Messeri <eranm@google.com>, Erwann Abalea <eabalea@gmail.com>
Subject: Re: [Trans] Certificate and Precertificate extensions ordering
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 11:27:19 -0000

On 11 September 2014 12:17, Rob Stradling <rob.stradling@comodo.com> wrote:
> On 11/09/14 11:56, Eran Messeri wrote:
>>
>> The poison extension is removed from the Precertificate prior to the log
>> producing an SCT over it, so a client never has to know about it. What
>> the TLS client has to do is to remove the "embedded SCTs" extension
>>   from the certificate prior to validating the signature.
>
>
> Ditto for the future "redactedlabels" extension.

That one appears in the cert, too, doesn't it?

>
>> On Thu, Sep 11, 2014 at 11:40 AM, Erwann Abalea <eabalea@gmail.com
>> <mailto:eabalea@gmail.com>> wrote:
>>
>>     Bonjour,
>>
>>     It seems there's no constraint on the order of extensions in the
>>     final certificate regarding to the Precert.
>>     Won't it be problematic if the browser wants to validate the SCT
>>     signatures by constructing the Precert from the final certificate?
>>     Where should a CA add the poisonous extension? And the future
>>     "redactedlabels" extension (it has no name)?
>>
>>     --
>>     Erwann.
>>
>>     _______________________________________________
>>     Trans mailing list
>>     Trans@ietf.org <mailto:Trans@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/trans
>>
>>
>>
>>
>> _______________________________________________
>> Trans mailing list
>> Trans@ietf.org
>> https://www.ietf.org/mailman/listinfo/trans
>>
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> Office Tel: +44.(0)1274.730505
> Office Fax: +44.(0)1274.730909
> www.comodo.com
>
> COMODO CA Limited, Registered in England No. 04058690
> Registered Office:
>   3rd Floor, 26 Office Village, Exchange Quay,
>   Trafford Road, Salford, Manchester M5 3EQ
>
> This e-mail and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender by
> replying to the e-mail containing this attachment. Replies to this email may
> be monitored by COMODO for operational or business reasons. Whilst every
> endeavour is taken to ensure that e-mails are free from viruses, no
> liability can be accepted and the recipient is requested to use their own
> virus checking software.
>
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans