Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15
Ryan Sleevi <ryan-ietf@sleevi.com> Fri, 28 September 2018 16:04 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C63B130E68 for <trans@ietfa.amsl.com>; Fri, 28 Sep 2018 09:04:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PiHjdyNwu0ej for <trans@ietfa.amsl.com>; Fri, 28 Sep 2018 09:04:34 -0700 (PDT)
Received: from mail-it1-f182.google.com (mail-it1-f182.google.com [209.85.166.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45E0E130E61 for <trans@ietf.org>; Fri, 28 Sep 2018 09:04:34 -0700 (PDT)
Received: by mail-it1-f182.google.com with SMTP id f14-v6so3095280ita.4 for <trans@ietf.org>; Fri, 28 Sep 2018 09:04:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ltUjrZMAKmw0lfm2xiQ4G9UWSMoVyWBtrw8wxLKnN38=; b=pafZ0lPvdfHan0mRkCA+COM4lJi67K04wChgZFIuKOXhsEmn4Wq+2YGVgQUlkb7NtC CjWmqpXkd4EI9nHWLsGU7IsN+vZXmuUS8OCdtfdWfoJI3XAkhFv/d1lnbUowi/6eM/Zg Z+JyEZMusrkfihLNsAQaiAjv09Re7WBzbVGlrigoW55P+TrjQrbmFm6v4u0zXVkshp9s tEWvzE6mMlqmilbQOuP2TryNmlYrrK6UkHLrep6j8vlJ6j6qg1kwHcqSmmh+0c8zuSyH 7oB4c0aJfDBPS1tf9l6mtwhTNDgY+lp8KRvQwim2rPtbXcmSRcRcXKg++SysKqQJt4I5 dIiQ==
X-Gm-Message-State: ABuFfojb1eKFmDdb1MvZzpLhq3ll+RfpGb2Op4Z+dXZ9OkiT/pU2+t1K zpenGmMPrfsbaLRt0H44XQ9Wg3BANQk=
X-Google-Smtp-Source: ACcGV60YWApT18QIyatV9L046UE+hghbDICuG8xpisaUpcpldvR16QJbG3z3gua0+HjekoRXOouR/Q==
X-Received: by 2002:a24:198c:: with SMTP id b134-v6mr2028349itb.125.1538150668143; Fri, 28 Sep 2018 09:04:28 -0700 (PDT)
Received: from mail-io1-f49.google.com (mail-io1-f49.google.com. [209.85.166.49]) by smtp.gmail.com with ESMTPSA id h123-v6sm1051653itb.32.2018.09.28.09.04.27 for <trans@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Sep 2018 09:04:27 -0700 (PDT)
Received: by mail-io1-f49.google.com with SMTP id l7-v6so4547360iok.6 for <trans@ietf.org>; Fri, 28 Sep 2018 09:04:27 -0700 (PDT)
X-Received: by 2002:a6b:9885:: with SMTP id a127-v6mr11460225ioe.282.1538150667314; Fri, 28 Sep 2018 09:04:27 -0700 (PDT)
MIME-Version: 1.0
References: <071bd596-07ec-fe8a-861c-3ef181fec848@gmail.com> <CAErg=HEschK1K9UwS79uOPjgeCxVy4cEDHzhCQxpJrc3LxqNDQ@mail.gmail.com> <20180928022909.GG24695@kduck.kaduk.org> <DM5PR14MB1116A7D338E1C53ADDEBFB3583EC0@DM5PR14MB1116.namprd14.prod.outlook.com>
In-Reply-To: <DM5PR14MB1116A7D338E1C53ADDEBFB3583EC0@DM5PR14MB1116.namprd14.prod.outlook.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Fri, 28 Sep 2018 12:04:15 -0400
X-Gmail-Original-Message-ID: <CAErg=HGs14ZtTTUUmorRboZzJshxF5J_+XZ07-zExfXvY=Y2+w@mail.gmail.com>
Message-ID: <CAErg=HGs14ZtTTUUmorRboZzJshxF5J_+XZ07-zExfXvY=Y2+w@mail.gmail.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Ben Kaduk <kaduk@mit.edu>, Ryan Sleevi <ryan-ietf@sleevi.com>, Trans <trans@ietf.org>, stephentkent@gmail.com
Content-Type: multipart/alternative; boundary="00000000000022f8fd0576f09c22"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/MzgYtWdDL6Sxtov0B_GcdYwXOWY>
Subject: Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2018 16:04:36 -0000
On Fri, Sep 28, 2018 at 10:37 AM Tim Hollebeek <tim.hollebeek@digicert.com> wrote: > > > For what it's worth, I do not read 6962-bis as "very much being focused" > on > > CA-based logging. Consider, for example, certificate subjects submitting > > certificates to logs, something that is done without CA involvement and > can be > > done in response to (e.g.) Logs being distrusted or browsers increasing > the > > required number of SCTs. It's unclear that CAs have as much incentive as > > subjects to be responsive to changing events in this way. > > SCTs have to be included in the certificate so logging by third parties > does > not help with that problem. > This is not correct. Conforming clients MUST support all three methods of delivery of SCTs. No policy or statement in 6962-bis requires that SCTs "have to be included in the certificate". Perhaps you're conflating the requirement with SCTs for precertificates, which has been substantially overhauled in 6962-bis in light of the concerns around precertificates? I'm not sure where this view that the dominant form is or should be CA initiated logging, or that the intent of 6962-bis is to only countenance that scenario. Over the past 28 days, 46% of the SCTs Chrome has observed have come from the TLS extension, and 53% of them embedded within certificates. 0.01% have come from OCSP responses. This latter number is no doubt driven by at least three CAs who have a largely homogenous user base (of government and public sector users) running on Microsoft-based services, that they were confident enough that they only needed to support OCSP embedding for their subscribers. Any threat model design needs to consider 6962-bis as specified, which is to consider that these different approaches are all equally valid.
- [Trans] responses to Ryan's detailed comments on … Stephen Kent
- Re: [Trans] responses to Ryan's detailed comments… Ryan Sleevi
- Re: [Trans] responses to Ryan's detailed comments… Benjamin Kaduk
- Re: [Trans] responses to Ryan's detailed comments… Stephen Kent
- Re: [Trans] responses to Ryan's detailed comments… Stephen Kent
- Re: [Trans] responses to Ryan's detailed comments… Tim Hollebeek
- Re: [Trans] responses to Ryan's detailed comments… Ryan Sleevi
- Re: [Trans] responses to Ryan's detailed comments… Tim Hollebeek
- Re: [Trans] responses to Ryan's detailed comments… Ryan Sleevi