[Trans] RFC 6962 clarification: entry type vs SCTs origin

Fabrice Gautier <fabrice.gautier@gmail.com> Fri, 19 September 2014 18:50 UTC

Return-Path: <fabrice.gautier@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 7FCAA1A06C1 for <trans@ietfa.amsl.com>; Fri, 19 Sep 2014 11:50:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ZhOBCXqIGjYO for <trans@ietfa.amsl.com>; Fri, 19 Sep 2014 11:50:42 -0700 (PDT)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 805791A04FA for <trans@ietf.org>; Fri, 19 Sep 2014 11:50:42 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id k48so218833wev.16 for <trans@ietf.org>; Fri, 19 Sep 2014 11:50:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=H6oZl2fQRZycOjzjkwTnKu3lUf6Sqxic2ANeZwehT1A=; b=Mdgy6g6mdBynCi7lzCwXfa860IuP+6spFc2+VpO+0f2ACRlAExptMLGcXzXDmyMRUA HaBh7a/gM4cz84TzSxSIUAjsD9yzl+ODCpKhGqNcSxvHpEza4rBijztV8+fzZZYOkQy0 WqxRXNC6KI8A9EIgvJy+Buu2zYHfaP6cGyDVJqPi1vRXrGiPSuRNlVMjTTwG3QRDOvlk pLPpj/Roeqbeo7dJpU8CDRMXA4nj5+7VxLHRLdvfVJguw3DINfih26EVY7XlRvyS42// njrDD479uy+HvZHknGCZINhGXWeundSmr+cThutAVhLkCY/HZapJ68XeFPQxe16mlTJ5 d1xw==
X-Received: by with SMTP id v19mr2992895wjw.18.1411152640816; Fri, 19 Sep 2014 11:50:40 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 19 Sep 2014 11:50:20 -0700 (PDT)
From: Fabrice Gautier <fabrice.gautier@gmail.com>
Date: Fri, 19 Sep 2014 11:50:20 -0700
Message-ID: <CANOyrg9pSx7mNkAUPNhYPiqWqGm9jv7kN4A--BWcDeuiNzZR8w@mail.gmail.com>
To: "trans@ietf.org" <trans@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/QrMS4WPV-qPi46MA_7sGGQj6nR4
Subject: [Trans] RFC 6962 clarification: entry type vs SCTs origin
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2014 18:50:45 -0000


Since in RFC6962, the entry type in an SCTs is not explicit, one has
to either guess or try both type in order to validate the SCTs.

Does it make sense to infer the entry type from the origin of the SCT?

If the SCT is embedded in a cert, it has to be a precert entry. In
case of an SCT in the TLS handshake, I would expect in most case it's
an x509 entry.

But are there any situations where having a SCT with precert entry in
the TLS extension or OCSP response would make sense ?


-- Fabrice