IETF Logo Mail Archive

Re: [Trans] overview of remaining(?) DISCUSS items for draft-ietf-trans-rfc6962-bis-33

Rob Stradling <rob@sectigo.com> Mon, 23 September 2019 12:53 UTC

Return-Path: <rob@sectigo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 115C61200B3 for <trans@ietfa.amsl.com>; Mon, 23 Sep 2019 05:53:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id agFeE7Io6MAK for <trans@ietfa.amsl.com>; Mon, 23 Sep 2019 05:53:28 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-eopbgr770049.outbound.protection.outlook.com [40.107.77.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4E1D120026 for <trans@ietf.org>; Mon, 23 Sep 2019 05:53:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=D3cpzk/hs5XFpJA7VCYQIX4NycHqI1Gdqg4J/DwZyPzVAKehyG7ozHIp3/Wc6xWo7FiaVzdxYbtbhxldlgz5iwKgPqEcM7vMJ8UfC07h6YQxV2F8vxEkYzYoeji1eJt2or0enOM74A+ZpmxWLSvbJwN6rN4yQRGUeK2Qi0vxbOnZw9Ojp71rfkYUfddm0QaP8A4zNuBaDSKytvyR0kP625QzA0Ku46rkpvlCJuIM7TRx0z2oaobNPQx/PNttT1j0eunLAmu10p8O2zErp5JmQeeCoO9ClVC+XeLZTymZdp2y9McZlCIAaxwdoXu2FlOsW60eMGI/zKyL+gJLfrWVbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=et4d9AdePw96YyrKKT6834rKtSbUBbEWWfxVxwegYos=; b=Wmq+iKEIUsEci4LIb4ypoYV2nTUT9yRpJtVtXL04oSTkrm+DQKAO3CwXYIv9rublpcXfBM68r/rWGmKTUGHDusAHwrC9aD91v2k4NJstTFyc2kDJdO2k36wcG3YoGMY+uUTtK/U+En1KI5YsQULS9SXHaOk/Bo7LmYPpkjKpB0amB/MpP6pwUQ3QRUj2RRv/2XeB1GcX5GNjgyOVnKtrYr4kIMSvGG9OHdc5VtKsa8E6xbuxNtgDCB612EXEO3g9vxE3/wuDTqUTJPRnXM6lcrfQtFmg2Qx8wbn4ea753aBDW5UZ7wByt3YKObFamxLj3vaHQQwx8UCgmjNPy0ee2Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sectigo.com; dmarc=pass action=none header.from=sectigo.com; dkim=pass header.d=sectigo.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector2-comodoca-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=et4d9AdePw96YyrKKT6834rKtSbUBbEWWfxVxwegYos=; b=TtUvTmbO8VQ89pqCnb1rWQF4SDrmzaC+jXysvwXapqV74vu2Zv2Z+TemSrK5rssK8lL5G62himAESdWzw4K7ckXXjqELQkOMeIyjPwXFrON/xPak/Sa8nvJQIa43jPUQFHQPDqoQeXQHXZWoru6vvhkrfpXohSK7lyWtsnMG7dk=
Received: from DM6PR17MB3162.namprd17.prod.outlook.com (20.176.124.223) by DM6PR17MB2668.namprd17.prod.outlook.com (20.177.220.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.26; Mon, 23 Sep 2019 12:53:27 +0000
Received: from DM6PR17MB3162.namprd17.prod.outlook.com ([fe80::dc78:38ff:9fc6:58cf]) by DM6PR17MB3162.namprd17.prod.outlook.com ([fe80::dc78:38ff:9fc6:58cf%3]) with mapi id 15.20.2284.023; Mon, 23 Sep 2019 12:53:26 +0000
From: Rob Stradling <rob@sectigo.com>
To: Paul Wouters <paul@nohats.ca>
CC: Trans <trans@ietf.org>, Alissa Cooper <alissa@cooperw.in>
Thread-Topic: [Trans] overview of remaining(?) DISCUSS items for draft-ietf-trans-rfc6962-bis-33
Thread-Index: AQHVblRQ0CWg5MVGO0ywZM7RXIf1a6czBmsAgAApD4CABg+gAA==
Date: Mon, 23 Sep 2019 12:53:26 +0000
Message-ID: <4632c221-c207-72c4-83c3-ecc8dcbf2ba7@sectigo.com>
References: <alpine.LRH.2.21.1909181506160.11898@bofh.nohats.ca> <b6ec6a38-a4c2-64b4-0584-d13deead2605@sectigo.com> <alpine.LRH.2.21.1909191211080.29314@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1909191211080.29314@bofh.nohats.ca>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LNXP265CA0086.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:76::26) To DM6PR17MB3162.namprd17.prod.outlook.com (2603:10b6:5:192::31)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a0e:ac00:25d:300:f68e:38ff:fe7a:a226]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a49665cb-0ab0-4e2f-df30-08d7402506aa
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM6PR17MB2668;
x-ms-traffictypediagnostic: DM6PR17MB2668:
x-microsoft-antispam-prvs: <DM6PR17MB26686B8FDA047E451F1F4BDDAA850@DM6PR17MB2668.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0169092318
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39850400004)(396003)(366004)(346002)(376002)(199004)(189003)(386003)(53546011)(6916009)(66476007)(99286004)(14454004)(6486002)(86362001)(46003)(5660300002)(486006)(8676002)(11346002)(31696002)(7736002)(2906002)(31686004)(6246003)(305945005)(256004)(81156014)(81166006)(54906003)(2616005)(476003)(4326008)(14444005)(186003)(6506007)(316002)(6436002)(8936002)(6512007)(71200400001)(71190400001)(52116002)(36756003)(478600001)(76176011)(66946007)(6116002)(446003)(229853002)(66556008)(64756008)(66446008)(102836004)(25786009); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR17MB2668; H:DM6PR17MB3162.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: qxCmKHqDQ6lUBJl8hHTH1IZKdf2Mn3IrjKaN1KHo+JWy8RJc/h/jZXCzPzK8slLiKE1d8fbzv+fusGWY/FLfqmh49p9rgKEwTW6TUZyGeBAj/ZSzq0zTGq0pMD5rdwmEb5+B9gIqsJK1pbUasUSmxmA3Ty29TN6kqV8eOVYAZF67MuPv6nuXXiaSY53FvtgjRcsvSRR4s7KhWFvwyTx2CrkYhsAT+AAm21F400hDdfoB+M1a6O48VXTD45h4gV/537L1dxZmn3tI7xO0FoVOHLh9NmYVEUGF7enPI+73apQeY5pIpw0CU1gbs5EzkN79MejW+cfp7kQXoIzkwuDfyGlCtyZf3HUqPfyljhILFQ1O2qztFDfNpLbuztqQsiQFMkLwNCRw6bLffT295pRGZQ4+xinPC6OMCgPSCO6E4Oc=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-15"
Content-ID: <59BE6DF0CDE46442905927628A8ADB8D@namprd17.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a49665cb-0ab0-4e2f-df30-08d7402506aa
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Sep 2019 12:53:26.7632 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: C+4v7HRy/HFF3oiBOquxnQZHuAEI6bcOj9mRFbG/V7Sjcx7FD3lF5vYoS53aRsZAHcizf1KdC0P0xDRtAJg2RQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2668
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/N_MEEz0YbsU_rSSMOA9hy4LByqg>
Subject: Re: [Trans] overview of remaining(?) DISCUSS items for draft-ietf-trans-rfc6962-bis-33
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 12:53:32 -0000

On 19/09/2019 17:19, Paul Wouters wrote:
> On Thu, 19 Sep 2019, Rob Stradling wrote:
<snip>
>>> And let me add my own question regarding 10.6.1. Should we expect these
>>> registry entries can change over time? If so, is it definied anywhere 
>>> what
>>> consumers are supposed to do or how they are supposed to find out, 
>>> that a
>>> log base url has changed? Shouldn't such a change be done using a new 
>>> OID?
>>
>> Since the OID (the Log ID) appears in each of the signed log artifacts
>> (SCTs, STHs), I think trying to change the OID of an existing log would
>> be pretty disastrous.
>>
>> However, I agree that there could be legitimate reasons for wanting to
>> change a log's base URL.  For example, in the currently deployed CT v1
>> ecosystem, it would be really nice if Sectigo could update the base URLs
>> of our Mammoth and Sabre logs.  ({mammoth,sabre}.ct.comodo.com made
>> sense when we set up these logs, but then Sectigo (formerly Comodo CA)
>> was carved out of Comodo).
>>
>> Having said that though, I think the best approach would be to add a
>> sentence to the document that says that log base URLs MUST NOT change.
>> Nice and simple.
> 
> So this seems to contradict itself. You give a good reason why a base
> url might change, then suggest to say MUST NOT. And you cannot add a
> new entry with updated base url using the same OID I guess? So one would
> have to replay the existing log into a new one. If that becomes a common
> practise, how is this distinguishable from a log reply that removes an
> entry and urges everyone to (automatically or not) update to the new
> base url ?

Hi Paul.  This was my thought process...

A mechanism for a log to change its base url might be "nice to have", 
but it would add complexity.  Adding complexity should be avoided unless 
it's "really necessary".  "nice to have" is not "really necessary", and 
besides, there is already a mechanism for achieving the same goal: 
retire the current log and spin up a new log.

The ecosystem needs to be agile enough to support regular log retirement 
and regular spinning up of new logs, so let's not (over)engineer an 
alternative mechanism that assumes the ecosystem lacks that agility.

-- 
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

v2.23.0 | Report a Bug | By Email