IETF Logo Mail Archive

Re: [Trans] Goals and generic mis-issuance fgramework

Rick Andrews <Rick_Andrews@symantec.com> Mon, 20 October 2014 21:38 UTC

Return-Path: <Rick_Andrews@symantec.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E730A1ACEF2 for <trans@ietfa.amsl.com>; Mon, 20 Oct 2014 14:38:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7YtbRaBJhm0E for <trans@ietfa.amsl.com>; Mon, 20 Oct 2014 14:38:05 -0700 (PDT)
Received: from tus1smtoutpex01.symantec.com (tus1smtoutpex01.symantec.com [216.10.195.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 759151ACEFE for <trans@ietf.org>; Mon, 20 Oct 2014 14:38:05 -0700 (PDT)
X-AuditID: d80ac3f1-f791a6d0000069e3-0f-544580bc8555
Received: from tus1opsmtapin01.ges.symantec.com (tus1opsmtapin01.ges.symantec.com [192.168.214.43]) by tus1smtoutpex01.symantec.com (Symantec Brightmail Gateway out) with SMTP id A2.66.27107.CB085445; Mon, 20 Oct 2014 22:38:04 +0100 (BST)
Received: from [155.64.220.139] (helo=TUS1XCHHUBPIN03.SYMC.SYMANTEC.COM) by tus1opsmtapin01.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <Rick_Andrews@symantec.com>) id 1XgKeS-0002Hu-KU; Mon, 20 Oct 2014 21:38:04 +0000
Received: from TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM ([155.64.220.146]) by TUS1XCHHUBPIN03.SYMC.SYMANTEC.COM ([155.64.220.139]) with mapi; Mon, 20 Oct 2014 14:38:04 -0700
From: Rick Andrews <Rick_Andrews@symantec.com>
To: Stephen Kent <kent@bbn.com>, "trans@ietf.org" <trans@ietf.org>
Date: Mon, 20 Oct 2014 14:38:02 -0700
Thread-Topic: [Trans] Goals and generic mis-issuance fgramework
Thread-Index: Ac/kBvkH0jFjwnzRSUS20XV+fS4VXgIpDMgw
Message-ID: <544B0DD62A64C1448B2DA253C011414607D2BA8687@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
References: <5436FC38.1070201@bbn.com>
In-Reply-To: <5436FC38.1070201@bbn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_544B0DD62A64C1448B2DA253C011414607D2BA8687TUS1XCHEVSPIN_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKIsWRmVeSWpSXmKPExsVyg+vQb909Da4hBmdPGFpsnM1osfbxRRYH Jo+p50M9liz5yRTAFMVlk5Kak1mWWqRvl8CVcX/rbbaCUzMZKxZsv8/cwHi/lbGLkZNDQsBE 4uasBnYIW0ziwr31bF2MXBxCAh8YJfo75kE5rxglfhy6xgzhrGKUWPvwJDNIC5uAnsSWx1fA 2kUEnCTud79hArFZBFQlmuavZQWxhQXsJHpf3mOGqLGXOLt1HROEbSRxdPYusF5egSiJ9ulz wOqFBNQkJu6eB1bDKaAu0fLkGpjNCHTe91NrwGxmAXGJW0/mM0GcLSCxZM95ZghbVOLl43+s EPWiEnfa1zNC1OdLtLccYIHYJShxcuYTFoh6SYmDK26wTGAUm4Vk7CwkLbOQtEDEdSQW7P7E BmFrSyxb+JoZxj5z4DETsvgCRvZVjDIlpcWGxbkl+aUlBakVBoZ6xZW5icCoTNZLzs/dxAiO zMMfdzAe3et4iFGAg1GJh/dMjWuIEGtiGVDlIUYJDmYlEd6/MUAh3pTEyqrUovz4otKc1OJD jNIcLErivG8r7EKEBNITS1KzU1MLUotgskwcnFINjJ0ydfEa+i8MvzGmLjgv277TISDi92Yh +yzlSy+kJpl857+iMqFVP59FKsThd7CZdZLL/g7FtObzhuuN9ky4Hy/Gfb7lT+2sxJULjff3 zdfQ8q38yf776OcvrE7LZt//f59vo83+vScnCfqEvlwS6xF7KOdLjoOa34yQ69Zsxa08n/1E k9eXK7EUZyQaajEXFScCAErw1wTIAgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/OtPeWi6hsl_rdOOIxFqUKHaNQyQ
Subject: Re: [Trans] Goals and generic mis-issuance fgramework
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 21:38:10 -0000

Stephen,

Some comments inline.

-Rick

From: Trans [mailto:trans-bounces@ietf.org] On Behalf Of Stephen Kent
Sent: Thursday, October 09, 2014 2:21 PM
To: trans@ietf.org
Subject: [Trans] Goals and generic mis-issuance fgramework

In response to some of the issues Paul and others have raised, I have generated
some text that tries to characterize the goal of CT, establishes a generic framnework
for defining checks for mis-issuance, and sets the stage for references to two RFcs
that will define syntactic and semantic checks for Web PKI certs claiming to conform to
CABF DV or EV guidelines.

Note that this text do not require a log to perform any checks; it allows a log to
indicate if has performed applicable checks, and the results of such checking.

Steve
-------


1. Certificate Transparency Goals and Mechanisms

The goals of Certificate Transparency (CT) are threefold: detection, deterrence, and enabling remediation of mis-issuance of certificates. The initial focus of CT is the Web PKI context, (The Web PKI context refers to the use of a set of Certification Authorities (CAs) that issue X.509 certificates to web servers to enable TLS-protected access by clients [cite WPKOPS?].) In the future, it is anticipated that addition *additional* operational contexts may be supported. As a result, mis-issuance is defined in an fashion that accommodates a range of types of certificates used in a range of contexts.

CT supports detection of mis-issuance using logs of certificates, populated by the CAs that issue them or by the Subjects of certificates. Monitors (described in Section X) are the primary elements of the CT system that check certificates for syntactic and semantic mis-issuance, on behalf of Subjects. A Monitor may be operated by a third party on behalf of Subjects, or may be operated by a Subject on its own behalf. (The latter is referred to as "self-monitoring".) Logs may optionally perform syntactic checks for some classes of certificates, but a log is not required to offer certificate checking.
The first sentence needs to be more broad, since anyone can send a cert to a log. But it's most likely to be the CAs or the Subjects, so I would suggest "CT supports detection of mis-issuance using logs of certificates, populated by the CAs that issue them, by the Subjects of certificates, or by anyone with knowledge of the entire certificate chain.".

To enable Monitors (and, optionally, logs) to perform an appropriate set of checks, the (pre-) a CCID MUST be provided to a log when a certificate is submitted by a CA or Subject. This CCID MUST appear in the log entry and in the SCT generated by the log. By providing the CCID in logs and SCTs, both Monitors and clients are empowered to perform applicable checks based on the certificate class asserted by the CA or Subject.
Hmm... Since anyone can send a cert to a log, the first sentence must reflect that. But that makes me wonder what should happen if the "Reporter" (I don't want to introduce a new role) sends the wrong CCID? (By "wrong" I mean it's a valid CCID, but it's not the one that the CA would associate with the cert.) Or sends the cert multiple times with different CCIDs? I guess Monitors would have to expect multiple entries for a given certificate in a given log, with different CCIDs. I'm not sure if 6962-bis imposes any uniqueness constraint that this might violate.

A log MUST generate a Syntax Verification Value (SVV) for the certificate, and include the SVV in the log entry and in the SCT.
The LVV *SVV* is *a* value specified by this document (see Section Z) that indicates whether or not the log performed applicable syntactic checks, and whether the (pre-) certificate passed of *or* failed the checks. Although it is anticipated that new certificate classes will arise over time, the set of log actions with respect to syntax checking appears to be well-defined and thus need not be represented in an IANA registry. Each SCT issued by a log MUST include an SVV.


Value Interpretation

0                 The CCID value was 0, so not *no* checks were performed

1                 This log does not perform syntax checks

2                 This log does not support syntax checks for the asserted CCID

3                 This log performed the syntax checks for the asserted CCID, and the certificate passed

4                 This log performed the syntax checks for the asserted CCID, and the certificate failed

No other SVV values are defined by this RFC.

v2.23.0 | Report a Bug | By Email