Re: [Trans] DNSSEC also needs CT

Nico Williams <nico@cryptonector.com> Tue, 13 May 2014 05:12 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0AF21A03F0 for <trans@ietfa.amsl.com>; Mon, 12 May 2014 22:12:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ILvAj8YvBASN for <trans@ietfa.amsl.com>; Mon, 12 May 2014 22:12:10 -0700 (PDT)
Received: from homiemail-a106.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 8D3101A03EA for <trans@ietf.org>; Mon, 12 May 2014 22:12:10 -0700 (PDT)
Received: from homiemail-a106.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a106.g.dreamhost.com (Postfix) with ESMTP id 7B3DE20047B70 for <trans@ietf.org>; Mon, 12 May 2014 22:12:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=EtutI248/gwJrmY6pO6k GQKSyW4=; b=G44aU6nWyturI7xP+Bhx6Yv/UZ3eBbX4vpBxot1KGNVTKEmABllj 9M0e15FNIdJbdIZXmBpBWdHmHbeS1UOOa6Z0hVRyQSBWw7+Op6aYw/7BmMwkgSJz yjegtcyRjTLURVGyGzcNzzbgjsoo0KDBkP5ZFLZduWtX/wYp0iHt5Wk=
Received: from mail-we0-f171.google.com (mail-we0-f171.google.com [74.125.82.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a106.g.dreamhost.com (Postfix) with ESMTPSA id 304F820047B6F for <trans@ietf.org>; Mon, 12 May 2014 22:12:04 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id w62so7853427wes.30 for <trans@ietf.org>; Mon, 12 May 2014 22:12:03 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.60.4 with SMTP id d4mr25057991wjr.28.1399957923004; Mon, 12 May 2014 22:12:03 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Mon, 12 May 2014 22:12:02 -0700 (PDT)
In-Reply-To: <CAOe4Uimvc6e6u=fJjM1-iaOTepA33Sx5CBjMV9dB8sSLqtZoWA@mail.gmail.com>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <CAMm+Lwieij8Tm8V-gpE0eAfwie1dgtFL_Ga8dPkJFKJKLQDAcA@mail.gmail.com> <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com> <CAHw9_iKpN7AXfrH6SzroMukrKTPR5z24U9KfWpVW-F2R_wX3ag@mail.gmail.com> <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca> <CABrd9ST7K-7RGwGD2G+kDcVSceC2ZJ-5Tz2tdp5NWa3cqBK+-w@mail.gmail.com> <CAOe4Ui=nqmCfjBYNE2CJtEs1jnbavpY4Dv-T3FRDdAwAA2dScg@mail.gmail.com> <CAK3OfOiYMJkXVR+QsCzEV0ir6u53coJz0b-JdGGD5bTTz5YcMg@mail.gmail.com> <CAOe4Ui=u0fkm9_nuXx_6gpH6jHM5pBvzjzru9O8y3bpLkA0qmw@mail.gmail.com> <CAK3OfOi6y=QAMXe_2axiavxwR5nS2Uv8SM4JxQHsvEKbUyNGCA@mail.gmail.com> <CAOe4Uimvc6e6u=fJjM1-iaOTepA33Sx5CBjMV9dB8sSLqtZoWA@mail.gmail.com>
Date: Tue, 13 May 2014 00:12:02 -0500
Message-ID: <CAK3OfOhdhWdGvvhuaGyE_p5kLy0ZX-V5sAXfoLGP_8d8vPJDgg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Joseph Bonneau <jbonneau@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/MW79QHK-5nVKK6kPAPJLc0-p57g
Cc: Warren Kumari <warren@kumari.net>, "trans@ietf.org" <trans@ietf.org>, Paul Wouters <paul@nohats.ca>, Ben Laurie <benl@google.com>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 05:12:12 -0000

On Mon, May 12, 2014 at 11:56 PM, Joseph Bonneau <jbonneau@gmail.com> wrote:
> On Mon, May 12, 2014 at 2:01 PM, Nico Williams <nico@cryptonector.com>
> wrote:
>> You're assuming I zones below the ones that matter audited, but I
>> don't.  I want the root ones audited -- same as with the TLS server
>> PKI.  Why would I have wanted anything else?
>
>
> Your original email didn't specify if you were interested in logs only for
> the root/important TLDs or for every domain. I (and I think others in this
> thread) interpreted the idea as being some form of hierarchical logging for
> all or almost all (non-private) domains. Are we on the same page now that
> the stronger version seems very unlikely in the short to medium term?

Is CT intended to be run all the way from the root to the CAs furthest
from the root?  I didn't think it was, and if it is, please tell me.

Incidentally, rfc6962bis could use an operational considerations
section covering issues such as what CAs are expected to be logged.

Nico
--