Re: [Trans] Certificate and Precertificate extensions ordering

Ben Laurie <benl@google.com> Thu, 11 September 2014 11:31 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC3951A8931 for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 04:31:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.031
X-Spam-Level:
X-Spam-Status: No, score=-3.031 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jMslOMy9qPaK for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 04:31:23 -0700 (PDT)
Received: from mail-qa0-x230.google.com (mail-qa0-x230.google.com [IPv6:2607:f8b0:400d:c00::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AC921A0B7C for <trans@ietf.org>; Thu, 11 Sep 2014 04:31:17 -0700 (PDT)
Received: by mail-qa0-f48.google.com with SMTP id v10so3179797qac.21 for <trans@ietf.org>; Thu, 11 Sep 2014 04:31:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dY50ZSmQD0dSrcFFyTmyMaWMi17qgGxJATi7p6dEtYQ=; b=BT1nYmLkIxNVUFzpn+gXfss8HvsCLGXUSyCE8H4t8jP71MrvMIOkV5mMws/aJ9TeU/ HUAovGfnrDH65xYlhQEvlZCwnkzxC+8Ozqbw8mGbpIhh77f9DoiGz9REg48L0e0fizMO xuKKh7hvHGy4KJTi/uYQj5y/AJ3vQnUe/MCBJCq5xZqeooH9KTTqreBTOvO8/KCxE0su hEtgeta+eee/nSrGFwDVKx0r1et/4ublwIz08nsrUyNSwfbJJgd6mDPOhIVWNx1J5GiD MBKLpZIfYYghpDC1GfvbtM950MQnZZQwE0mO2FCB1prGB8F06Y7sE9/U1vp5zG2fbzxV rsuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=dY50ZSmQD0dSrcFFyTmyMaWMi17qgGxJATi7p6dEtYQ=; b=QD0FIGUapK/HDwpJ/udlTFzV5zTXEfPtA5dqYiJ7taVgRuoA9g1WDcdjzDMjv2qeTZ R1XI1JlTk6uTcjigfNp1HHntQWJjU0EgVGTXqCFHOrV6YZgEwWLthZjDpm7AQNSfJB/B slmVWZGtFY/lRaiGjc9wHFWhRUQZ2IGSpICQaJ14IhiLdiskFnd+0C3AiQS5sYTkrwXv 0DTdX9lseAFCwoX0ujZpusDH82UHxQMRCAS4ctRUpXVvbqP/6MvY7Xci37EWjmApDwsN iG4nHs2q3AiL48e6BKIeUOO/I3gojDmqYzPUNbRZe4D3avAyPDSm3cgteon7i63g9+7O 7udw==
X-Gm-Message-State: ALoCoQlY7hwd5ge+OGclSLLz655PbEx5yRX18KvJ7A2vkrQTXYYn8G0wwGdGYjLui+SXNDxWy8XO
MIME-Version: 1.0
X-Received: by 10.224.51.197 with SMTP id e5mr508305qag.48.1410435075786; Thu, 11 Sep 2014 04:31:15 -0700 (PDT)
Received: by 10.229.247.198 with HTTP; Thu, 11 Sep 2014 04:31:15 -0700 (PDT)
In-Reply-To: <CABrd9SRL+O+GUNT2hvc9ysKwjksG0DJ1C7oHHH-8es1npzELnA@mail.gmail.com>
References: <CA+i=0E5o_JEUquZpxhwiVKU3dvDTOHSf0fbeD7Nj7vrDwAkeSw@mail.gmail.com> <CALzYgEcEpegaBt6-w+Y7Hs6EODdHUe=CFA6W=H8Afd9gxZjaSg@mail.gmail.com> <541184B7.9070701@comodo.com> <CABrd9SRL+O+GUNT2hvc9ysKwjksG0DJ1C7oHHH-8es1npzELnA@mail.gmail.com>
Date: Thu, 11 Sep 2014 12:31:15 +0100
Message-ID: <CABrd9SRF1vhkWktjVXKzJNY2Zu01TK9gKA4SsDMp8--gRdtZng@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Rob Stradling <rob.stradling@comodo.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/Kvb1lFIDQhRY-5QuT8oADukXfa0
Cc: "trans@ietf.org" <trans@ietf.org>, Eran Messeri <eranm@google.com>, Erwann Abalea <eabalea@gmail.com>
Subject: Re: [Trans] Certificate and Precertificate extensions ordering
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 11:31:26 -0000

On 11 September 2014 12:27, Ben Laurie <benl@google.com> wrote:
> On 11 September 2014 12:17, Rob Stradling <rob.stradling@comodo.com> wrote:
>> On 11/09/14 11:56, Eran Messeri wrote:
>>>
>>> The poison extension is removed from the Precertificate prior to the log
>>> producing an SCT over it, so a client never has to know about it. What
>>> the TLS client has to do is to remove the "embedded SCTs" extension
>>>   from the certificate prior to validating the signature.
>>
>>
>> Ditto for the future "redactedlabels" extension.
>
> That one appears in the cert, too, doesn't it?

Sorry, ignore that, it is in the cert but not the precert (though that
seems like an arbitrary decision to me).

>
>>
>>> On Thu, Sep 11, 2014 at 11:40 AM, Erwann Abalea <eabalea@gmail.com
>>> <mailto:eabalea@gmail.com>> wrote:
>>>
>>>     Bonjour,
>>>
>>>     It seems there's no constraint on the order of extensions in the
>>>     final certificate regarding to the Precert.
>>>     Won't it be problematic if the browser wants to validate the SCT
>>>     signatures by constructing the Precert from the final certificate?
>>>     Where should a CA add the poisonous extension? And the future
>>>     "redactedlabels" extension (it has no name)?
>>>
>>>     --
>>>     Erwann.
>>>
>>>     _______________________________________________
>>>     Trans mailing list
>>>     Trans@ietf.org <mailto:Trans@ietf.org>
>>>     https://www.ietf.org/mailman/listinfo/trans
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Trans mailing list
>>> Trans@ietf.org
>>> https://www.ietf.org/mailman/listinfo/trans
>>>
>>
>> --
>> Rob Stradling
>> Senior Research & Development Scientist
>> COMODO - Creating Trust Online
>> Office Tel: +44.(0)1274.730505
>> Office Fax: +44.(0)1274.730909
>> www.comodo.com
>>
>> COMODO CA Limited, Registered in England No. 04058690
>> Registered Office:
>>   3rd Floor, 26 Office Village, Exchange Quay,
>>   Trafford Road, Salford, Manchester M5 3EQ
>>
>> This e-mail and any files transmitted with it are confidential and intended
>> solely for the use of the individual or entity to whom they are addressed.
>> If you have received this email in error please notify the sender by
>> replying to the e-mail containing this attachment. Replies to this email may
>> be monitored by COMODO for operational or business reasons. Whilst every
>> endeavour is taken to ensure that e-mails are free from viruses, no
>> liability can be accepted and the recipient is requested to use their own
>> virus checking software.
>>
>>
>> _______________________________________________
>> Trans mailing list
>> Trans@ietf.org
>> https://www.ietf.org/mailman/listinfo/trans