Re: [Trans] [trans] #80 (rfc6962-bis): Re-introduce the issuer key hash into the Precertificate
"trans issue tracker" <trac+trans@tools.ietf.org> Wed, 01 July 2015 16:59 UTC
Return-Path: <trac+trans@tools.ietf.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33FD41A92FB for <trans@ietfa.amsl.com>; Wed, 1 Jul 2015 09:59:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tXjZKZfy_hpB for <trans@ietfa.amsl.com>; Wed, 1 Jul 2015 09:59:34 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:123a::1:2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D76561A92F8 for <trans@ietf.org>; Wed, 1 Jul 2015 09:59:34 -0700 (PDT)
Received: from localhost ([::1]:59802 helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from <trac+trans@tools.ietf.org>) id 1ZALMA-0008Kn-Ob; Wed, 01 Jul 2015 09:59:30 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: trans issue tracker <trac+trans@tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: rob.stradling@comodo.com, benl@google.com
X-Trac-Project: trans
Date: Wed, 01 Jul 2015 16:59:30 -0000
X-URL: http://tools.ietf.org/trans/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/trans/trac/ticket/80#comment:4
Message-ID: <071.ac1382a23021309632a3cfb2c9ac8ce0@tools.ietf.org>
References: <056.7955c32a9fd14002205eaf236136fda6@tools.ietf.org>
X-Trac-Ticket-ID: 80
In-Reply-To: <056.7955c32a9fd14002205eaf236136fda6@tools.ietf.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: rob.stradling@comodo.com, benl@google.com, trans@ietf.org
X-SA-Exim-Mail-From: trac+trans@tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/PtvMiMKC4ZMN8_RYMmb74s_j6y8>
Cc: trans@ietf.org
Subject: Re: [Trans] [trans] #80 (rfc6962-bis): Re-introduce the issuer key hash into the Precertificate
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2015 16:59:36 -0000
#80: Re-introduce the issuer key hash into the Precertificate Comment (by rob.stradling@comodo.com): This problem affects browser clients and any other client that wants to verify that an SCT corresponds to a particular cert. A browser has the full cert chain (from the TLS handshake) and the corresponding SCTs, but it is _not_ expected to have the full log entries (i.e. extra_data, etc). In the current text, the SCT is bound to the Issuer Name (because that's in the TBSCertificate), but not to the Issuer Key (because that's not in the TBSCertificate). There could exist two or more publicly-trusted intermediate CA certs with the same Name but different Keys. One of those intermediates might be logged, while the other(s) are not logged. Each of them could issue leaf certs that have an identical TBSCertificate. Only one of those leaf certs needs to be logged for there to exist SCT(s) that are valid for all of those leaf certs. The logged leaf cert might get revoked, but the other(s) might not get revoked. However, the SCT(s) would still work for all of those certs, including the non-logged ones. Therefore, we need to fix SCTs so that they're bound to the Issuer Key Hash as well as the Issuer Name. -- ------------------------------+--------------------------------------- Reporter: eranm@google.com | Owner: rob.stradling@comodo.com Type: defect | Status: assigned Priority: major | Milestone: Component: rfc6962-bis | Version: Severity: - | Resolution: Keywords: | ------------------------------+--------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/80#comment:4> trans <http://tools.ietf.org/trans/>
- [Trans] [trans] #80 (client-behavior): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… Stephen Kent
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… Rob Stradling
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker