Re: [Trans] IETF 90 scheduling

Jean-Michel Combes <jeanmichel.combes@gmail.com> Wed, 23 April 2014 14:51 UTC

Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E83B61A03D6 for <trans@ietfa.amsl.com>; Wed, 23 Apr 2014 07:51:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KqxQJmjSSiKh for <trans@ietfa.amsl.com>; Wed, 23 Apr 2014 07:51:14 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) by ietfa.amsl.com (Postfix) with ESMTP id B23A81A0096 for <trans@ietf.org>; Wed, 23 Apr 2014 07:51:13 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id cc10so5037757wib.8 for <trans@ietf.org>; Wed, 23 Apr 2014 07:51:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=psvuPfyLvyCkXD+1JZeie5YNbNVPZ9lBO7et4IcXOO4=; b=Kjk8Ex8g9xRccul50RThyXew6vASsRDQlv+mUxVRaIMY0bvRum4xaFZwRvta3rXVZ8 dgNaA1vvYHlvBdZvEyQIx0Or6WfXV1tVSPBu/ACcDi2SD48KbqaEu1aCrqq9HmtmoAV1 le26KFueYTxHXfgNqBH9mA8scFcc5ou0cE/opAPwF+hf80X/IUwIVKfcjm9I6DVZbgfw 5puV7CSpV1KzNjH3a1EvlKPOqrJJdf2ieJEdckUH/JbqFhSt7uqhlSe/VVyCtbOrNdOG M6zj5G2Ws/eyDgTCXLVrLGfvbNpIr4e6vapIYsZgUQOyUObrbYRWwzd0XV39re8wy6S1 dXOg==
MIME-Version: 1.0
X-Received: by 10.180.105.132 with SMTP id gm4mr2113532wib.39.1398264667585; Wed, 23 Apr 2014 07:51:07 -0700 (PDT)
Received: by 10.217.107.137 with HTTP; Wed, 23 Apr 2014 07:51:07 -0700 (PDT)
In-Reply-To: <53559D3B.1090504@gmail.com>
References: <53559D3B.1090504@gmail.com>
Date: Wed, 23 Apr 2014 16:51:07 +0200
Message-ID: <CAA7e52oXiCW4FfYfz-hT2=QOOm4xXGtxPmVwtC0rbcstQAP9qQ@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: Melinda Shore <melinda.shore@gmail.com>
Content-Type: multipart/alternative; boundary=f46d044280ead0425604f7b6dc67
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/IwgrcYErfj8GK2qd_FxNJUM8e_k
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] IETF 90 scheduling
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 14:51:17 -0000

Hi,

I have actually two technical comments with the current specifications of
CT:

#1 Log server identification

Currently, if I am correct, the identity of the log server providing the
SCT is based on its public key (in fact, the hash of it), which is also
stored in the TLS client. As with the public key pinning mechanism (cf.
draft-ietf-websec-key-pinning), I am afraid about a potential complexity
(from a technical/business point of view) to add a new public key in the
TLS client (e.g., web browser), to be able to set up/manage a new log
server.

So, I am wondering, instead (or in parallel) of using log server's public
key as log server's ID, if that would be easier to use URI for new log
servers deployment.

#2 Interaction between TLSA RR and CT

At first, from my point of view, using TLSA RR means "prevention" and using
CT means "repression". Now, if I want only do "prevention", the current CT
specifications will not allow me to do it. Indeed, as specified in Section
3, TLS clients MUST reject certificates that do not have a valid SCT for
the end-entity certificate, enforcing the use of CT by the TLS server.

Maybe, replacing the MUST by a SHOULD, when TLSA RR is deployed, would
relax this enforcement.


I would appreciate any feedback from the WG regarding these comments.

Thanks in advance for your replies.

Best regards,

JMC.


2014-04-22 0:35 GMT+02:00 Melinda Shore <melinda.shore@gmail.com>om>:

> We just received notification that working group session
> scheduling for the July meeting is now open.  This is a good
> time to be thinking about what needs to be done between
> now and then and how session time will be spent.  Right now
> my sense is that a single two-hour session will be more than
> enough, but I'll hold off until we get a better sense of
> what will need to be done during the session.
>
> Melinda
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>