Re: [Trans] path validation
Rob Stradling <rob.stradling@comodo.com> Wed, 01 October 2014 15:10 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E51821ACE4E for <trans@ietfa.amsl.com>; Wed, 1 Oct 2014 08:10:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.41
X-Spam-Level: *
X-Spam-Status: No, score=1.41 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6wv8yPi6bo9Q for <trans@ietfa.amsl.com>; Wed, 1 Oct 2014 08:10:17 -0700 (PDT)
Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 509F31A1A26 for <trans@ietf.org>; Wed, 1 Oct 2014 08:10:16 -0700 (PDT)
Received: (qmail 26776 invoked by uid 1000); 1 Oct 2014 15:10:13 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Wed, 01 Oct 2014 16:10:13 +0100
Message-ID: <542C1955.7080304@comodo.com>
Date: Wed, 01 Oct 2014 16:10:13 +0100
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>, trans@ietf.org
References: <54296FB2.1060109@bbn.com><4262AC0DB9856847A2D00EF817E81139233695@scygexch10.cygnacom.com><544B0DD62A64C1448B2DA253C011414607D1629838@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM><4262AC0DB9856847A2D00EF817E8113923370C@scygexch10.cygnacom.com><544B0DD62A64C1448B2DA253C011414607D162989C@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM><20140930005524.GP16215@hezmatt.org> <542C10ED.2060902@bbn.com>
In-Reply-To: <542C10ED.2060902@bbn.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/NGHOAjDsFw2Boa5pEJXzfCPj9lo
Subject: Re: [Trans] path validation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 15:10:22 -0000
On 01/10/14 15:34, Stephen Kent wrote: <snip> > I thought the CT design makes a counter argument, i.e., that CAs are > motivated to log certs because, over time, TLS clients will reject > connections to servers when there is no evidence of an SCT. Over time, yes, we hope that this will happen. But we obviously can't guarantee that, in N months/years from now, 100% of TLS clients will support CT. > if this argument is true, then having logs check for syntactic > mis-issuance is a good thing. I disagree. There is a gap between what is syntactically properly issued (according to CABF guidelines, etc) and what a typical TLS client actually accepts. If logs checked for syntactic mis-issuance, a rogue CA could exploit this gap by maliciously mis-issuing certs containing "syntax errors". CT would not reveal the attack (because the logs would refuse to issue SCTs), but TLS clients that don't reject connections when no SCT is provided would be vulnerable. We want to provide as much "herd immunity" as possible to TLS clients that don't support CT. This means that we need all certs to be publicly logged, to maximize the chances that any (maliciously) mis-issued cert will be discovered quickly. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- [Trans] path validation Stephen Kent
- Re: [Trans] path validation Santosh Chokhani
- Re: [Trans] path validation Rick Andrews
- Re: [Trans] path validation Santosh Chokhani
- Re: [Trans] path validation Rick Andrews
- Re: [Trans] path validation David Leon Gil
- Re: [Trans] path validation Santosh Chokhani
- Re: [Trans] path validation Rick Andrews
- Re: [Trans] path validation Melinda Shore
- Re: [Trans] path validation Matt Palmer
- Re: [Trans] path validation Jeremy Rowley
- Re: [Trans] path validation Melinda Shore
- Re: [Trans] path validation Kyle Hamilton
- Re: [Trans] path validation Stephen Kent
- Re: [Trans] path validation Stephen Kent
- Re: [Trans] path validation Stephen Kent
- Re: [Trans] path validation David Leon Gil
- Re: [Trans] path validation Carl Wallace
- Re: [Trans] path validation Stephen Farrell
- Re: [Trans] path validation Rob Stradling
- Re: [Trans] path validation Stephen Kent
- Re: [Trans] path validation Stephen Kent
- Re: [Trans] path validation Stephen Kent
- Re: [Trans] path validation Russ Housley
- Re: [Trans] path validation David Leon Gil
- Re: [Trans] path validation Stephen Kent