Re: [Trans] Certificate and Precertificate extensions ordering

Ben Laurie <benl@google.com> Thu, 11 September 2014 11:17 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C6521A8916 for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 04:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.031
X-Spam-Level:
X-Spam-Status: No, score=-3.031 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X9o6cg_bIeg8 for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 04:17:09 -0700 (PDT)
Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com [IPv6:2607:f8b0:400d:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 265601A06FC for <trans@ietf.org>; Thu, 11 Sep 2014 04:17:06 -0700 (PDT)
Received: by mail-qg0-f43.google.com with SMTP id a108so8910825qge.16 for <trans@ietf.org>; Thu, 11 Sep 2014 04:17:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PoE0kJa3Mk/h//rul6fb7IcLYdlHmAhvBNfi92GWkWo=; b=DlyTSYc+4vDT8Fi2RE6B31h+8SZYDxSWrYRPCFWMJLMok0Sd5I3sTMo6vqp6GIPkxV cX717r+8kh+FOg3lrfigVBuB1Wi1/AH0Ft69TUdXShTykWPnS650ysT2rvDIpUBgEPmZ tK6B/PCbqK0JKh1WmGSxn/tLxsXp/yLxTsRO7q/vXK1pNb64io2S09v2i4/19+VDw2jt P/5ZQLzFVdqDOI45tisK8Bpqf4aWsiJm2PWlNziQylXJVE8iAYNehz/M01oUkAXcQ4rR JIFIcA5eiTeWxOAEIyxn/4Y9jLYUM7E/pJGPZ1jz2LGeXSfXMlmpFntJf9v0zKp9TwiH bO5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=PoE0kJa3Mk/h//rul6fb7IcLYdlHmAhvBNfi92GWkWo=; b=NVdoWFWffiOt0Yu996Nrly5mYZIh3HpiJcD6NFljhSw7NhgpJQUaJ606MeV/7EyH+i o8tkjx1BsM+ILSALgYHiBwCScTBszjoo37sAAKnNBdnwddzRbz1KbUn8VbiKUKvD9DmX 6hzJvniJBiWpXvds5vN8odyOCux8+leIhC2FACmmw9vPNgZVfdlBvuF4R5RtLpM4exYp kJbUtcgp+WdmqLBdW2jLm4dtg+kmPU6YSDZZOAIuEkF7sBj/MKH7AHfNqFhqZL5j6ABK bzIuIUtQr0cLqAu3MQuwkG+MgrrPf7uZhKECcM+z1ifpFyKC1C67+Z3IIkKctzDqo2dA X19A==
X-Gm-Message-State: ALoCoQnFw1i5t6i+XNamEg0WopgcZwsbMZNiPSX1y5AAzfP9mttT4ucKU1xk82l9s81FuqeFecQx
MIME-Version: 1.0
X-Received: by 10.140.23.40 with SMTP id 37mr448149qgo.30.1410434225017; Thu, 11 Sep 2014 04:17:05 -0700 (PDT)
Received: by 10.229.247.198 with HTTP; Thu, 11 Sep 2014 04:17:04 -0700 (PDT)
In-Reply-To: <CALzYgEcEpegaBt6-w+Y7Hs6EODdHUe=CFA6W=H8Afd9gxZjaSg@mail.gmail.com>
References: <CA+i=0E5o_JEUquZpxhwiVKU3dvDTOHSf0fbeD7Nj7vrDwAkeSw@mail.gmail.com> <CALzYgEcEpegaBt6-w+Y7Hs6EODdHUe=CFA6W=H8Afd9gxZjaSg@mail.gmail.com>
Date: Thu, 11 Sep 2014 12:17:04 +0100
Message-ID: <CABrd9STKow0=AJhxB7x1o-DJ3aTL0TkWbnZuGmvreEu3oTDeSw@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Eran Messeri <eranm@google.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/OhKGKoifAFPxqSipL5tfp-wZkPE
Cc: Erwann Abalea <eabalea@gmail.com>, "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Certificate and Precertificate extensions ordering
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 11:17:11 -0000

On 11 September 2014 11:56, Eran Messeri <eranm@google.com> wrote:
> The poison extension is removed from the Precertificate prior to the log
> producing an SCT over it, so a client never has to know about it. What the
> TLS client has to do is to remove the "embedded SCTs" extension  from the
> certificate prior to validating the signature.

This does imply that the remaining extensions have to be in the same
order in both precert and cert, I think?

>
> On Thu, Sep 11, 2014 at 11:40 AM, Erwann Abalea <eabalea@gmail.com> wrote:
>>
>> Bonjour,
>>
>> It seems there's no constraint on the order of extensions in the final
>> certificate regarding to the Precert.
>> Won't it be problematic if the browser wants to validate the SCT
>> signatures by constructing the Precert from the final certificate? Where
>> should a CA add the poisonous extension? And the future "redactedlabels"
>> extension (it has no name)?
>>
>> --
>> Erwann.
>>
>> _______________________________________________
>> Trans mailing list
>> Trans@ietf.org
>> https://www.ietf.org/mailman/listinfo/trans
>>
>
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>