IETF Logo Mail Archive

Re: [Trans] path validation

Carl Wallace <carl@redhoundsoftware.com> Wed, 01 October 2014 14:54 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 221321ACE22 for <trans@ietfa.amsl.com>; Wed, 1 Oct 2014 07:54:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CI32d4CVjGH0 for <trans@ietfa.amsl.com>; Wed, 1 Oct 2014 07:54:14 -0700 (PDT)
Received: from mail-qg0-f49.google.com (mail-qg0-f49.google.com [209.85.192.49]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F2E71ACE1C for <trans@ietf.org>; Wed, 1 Oct 2014 07:54:08 -0700 (PDT)
Received: by mail-qg0-f49.google.com with SMTP id a108so238955qge.8 for <trans@ietf.org>; Wed, 01 Oct 2014 07:54:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=ZknRMUYd/3JMfgvBCF/gymMMvr9YV4h2wVjcVRIQ6hM=; b=TA3xFtMTocDoC6s7TutXnUEdYzdvDli5WBjg0WplizwU8fXHaQbcdcs45PKsdalgbd ok2Mpm4p/snlWg+yhj5UDgV7go7RVdJXyYNgFFwnJEp0IgU6i46yvRren1JU2qePgbfA EnLPGQcTY/lO9dalWt0FnzX1NyTqxGzFMYKiZOFacHQbtX6UZyS1DFtJN+QI4ssifCx8 rX7tLSTRcxe2vJ9w9cyEy2P+6etcewtL76oBQDLPKWUBqqO4wBGqGnW5nwtE45eKHOpj oOs+YNkaOSXzFD3hB5+0KmFxnVT3m1BIEQd2tXDs+rN5cSfV81z6xdGLwNoSQYfmIUha zHwA==
X-Gm-Message-State: ALoCoQkUp1QX1iYyoZHPY19Qv6VULG9WtN8gZ2I/+jqrn1iM0PXg3G1ojMOcKZm6wS8ezO0so+LA
X-Received: by 10.140.38.81 with SMTP id s75mr83630162qgs.4.1412175247456; Wed, 01 Oct 2014 07:54:07 -0700 (PDT)
Received: from [192.168.2.2] (pool-173-79-132-199.washdc.fios.verizon.net. [173.79.132.199]) by mx.google.com with ESMTPSA id l46sm802696qgd.27.2014.10.01.07.54.06 for <trans@ietf.org> (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 01 Oct 2014 07:54:07 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.4.3.140616
Date: Wed, 01 Oct 2014 10:54:03 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: "trans@ietf.org" <trans@ietf.org>
Message-ID: <D0518CF6.23362%carl@redhoundsoftware.com>
Thread-Topic: [Trans] path validation
References: <54296FB2.1060109@bbn.com> <4262AC0DB9856847A2D00EF817E81139233695@scygexch10.cygnacom.com> <544B0DD62A64C1448B2DA253C011414607D1629838@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <4262AC0DB9856847A2D00EF817E8113923370C@scygexch10.cygnacom.com> <544B0DD62A64C1448B2DA253C011414607D162989C@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAA7UWsWr2p7t2uTrhiF9meU8htT=aWQT7qiBV6Xxg2E-GAwUBQ@mail.gmail.com> <542C0FCB.7010906@bbn.com> <CAA7UWsW8qM8jdOOjdEznmyW6iEcnQ58izuMCbZbRtHWSQmBp5Q@mail.gmail.com>
In-Reply-To: <CAA7UWsW8qM8jdOOjdEznmyW6iEcnQ58izuMCbZbRtHWSQmBp5Q@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/IQlctCM2g4Y-TL3LrhpPwqR6QUQ
Subject: Re: [Trans] path validation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 14:54:16 -0000

On 10/1/14, 10:47 AM, "David Leon Gil" <coruus@gmail.com> wrote:

>On Wed, Oct 1, 2014 at 10:29 AM, Stephen Kent <kent@bbn.com> wrote:
>> I disagree. Once Ben said that he meant mis-issuance to be interpreted
>>in a
>> much broader context,
>> and cited EV cert requirements as an example, I pursued documenting what
>> that would mean. If
>> the WG wants to say that mis-issuance is more than issuing a cert to the
>> wrong Subject, then
>> we need to say just what it is, not hand wave.
>
>You are missing the point of certificate transparency.
>
>We have no idea all the forms that misissuance -- particularly
>malicious misissuance -- might take. If it were trivial to detect
>"misissuance", browsers would validate certs for "misissuance" and the
>problem would be solved.
>
>The point of having a log that includes everything signed with a CA's
>key is that analysis of issued certificates can be conducted post-hoc.
>
>Proposals to limit the scope of what logs can log kneecap CT. They
>should not be considered.

Maybe the term mis-issuance should just be discarded.  There seems to be
agreement that logs should accept anything signed by one of the CAs
covered by a log.  Monitors can always detect whatever they want relative
to the certificate collection maintained by a log (be it “mis-issuance” or
something else).

v2.23.0 | Report a Bug | By Email