Re: [Trans] Compatibility of name redaction and EV
Stephen Kent <kent@bbn.com> Tue, 19 August 2014 18:36 UTC
Return-Path: <kent@bbn.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99AB11A06AC for <trans@ietfa.amsl.com>; Tue, 19 Aug 2014 11:36:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.869
X-Spam-Level:
X-Spam-Status: No, score=-4.869 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BS7Y6kPjPZLA for <trans@ietfa.amsl.com>; Tue, 19 Aug 2014 11:36:39 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C3A51A06B5 for <trans@ietf.org>; Tue, 19 Aug 2014 11:36:38 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:52581 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1XJoGp-000Jb3-I3; Tue, 19 Aug 2014 14:36:35 -0400
Message-ID: <53F39933.8030706@bbn.com>
Date: Tue, 19 Aug 2014 14:36:35 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Ben Laurie <benl@google.com>
References: <CABrd9SQ=mW7DoQUkXGv5M=nuoR1fTFG5N1Qc_PyK+mtm6E6s_A@mail.gmail.com> <53F25A33.5020405@bbn.com> <CABrd9SQcYQCV93CC-1DocNwOrKa0aJVqMaOMVRPWJt3pinvuiA@mail.gmail.com> <53F26610.8000608@bbn.com> <CABrd9SQWyNjvHdZXJ_eZCg4iFtdUxrWDQL1uVuAM+xnvdMCdFA@mail.gmail.com>
In-Reply-To: <CABrd9SQWyNjvHdZXJ_eZCg4iFtdUxrWDQL1uVuAM+xnvdMCdFA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/Qdy8r0VWgM--6LnAzSN_1l0plTE
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Compatibility of name redaction and EV
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 18:36:40 -0000
Ben, > ... >> The topic of how a CT-compliant TLS client deals with a redacted cert, of >> any type, >> is within scope for TRANS. >> >> What Chrome does is not a subject for TRANS, since you have already stated >> that Chrome will do whatever Google decides, irrespective of any TRANS RFCs >> :-). > Google is obviously not unique in this regard - it's true of all > software, right? It's rather unusual for an author of an RFC to publicly state that he plans to ignore the RFC if it doesn't match his implementation plans. > >>> I am also mildly confused about how an RFC interacts with standards >>> that are not controlled by the IETF (i.e. the Base Requirements and >>> the Extended Validation requirements). >> >> Well, RFC 6125 is an example of a standards track RFC that talks about EV >> certs in the TLS context, so there is a precedent. > As far as I can see only to say its out of scope. Only the first mention of EV certs appears in the section "labelled "out of scope." The reference to EV certs in Section 2.3.1 says that the RFC prefers use of the Subject Alt Name over the Common name for representing certain classes of IDs, but acknowledges that use of the CN-ID construct is OK for backward compatibility with "deployed infrastructure", citing EV certs. In Section 7.2, there is another reference to EV certs, in the context of wildcard use. In that instance the RFC suggests that the guidelines published in 2009 allowed wildcards, whereas the RFC argued against their use except in one specific location. So, I see the RFC as an example of how an IETF standard can choose to accommodate, or reject, guidelines from outside the IETF. There are other RFCs that deal with this topic very directly, e.g., in the MPLS space. The bottom line is that the IETF can choose to view non-IETF standards as off limits, or can reinforce support for them, or reject them in the IETF context. I'm pretty sure we can find examples of all of these ways of dealing with other standards in the RFC collection. I suspect Russ Housely is especially well suited to cite examples based on his experience as IETF Chair. Steve
- [Trans] Compatibility of name redaction and EV Ben Laurie
- Re: [Trans] Compatibility of name redaction and EV Stephen Kent
- Re: [Trans] Compatibility of name redaction and EV Ben Laurie
- Re: [Trans] Compatibility of name redaction and EV Stephen Kent
- Re: [Trans] Compatibility of name redaction and EV Ben Laurie
- Re: [Trans] Compatibility of name redaction and EV Stephen Kent
- Re: [Trans] Compatibility of name redaction and EV Ben Laurie
- Re: [Trans] Compatibility of name redaction and EV Stephen Kent
- Re: [Trans] Compatibility of name redaction and EV Ben Laurie
- Re: [Trans] Compatibility of name redaction and EV Rob Stradling
- Re: [Trans] Compatibility of name redaction and EV Melinda Shore
- Re: [Trans] Compatibility of name redaction and EV Stephen Kent
- Re: [Trans] Compatibility of name redaction and EV Stephen Kent