Re: [Trans] Certificate and Precertificate extensions ordering
Eran Messeri <eranm@google.com> Thu, 11 September 2014 11:52 UTC
Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A89A71A6EFC for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 04:52:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.03
X-Spam-Level:
X-Spam-Status: No, score=-3.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HLFHkgOZ5TIH for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 04:52:34 -0700 (PDT)
Received: from mail-vc0-x236.google.com (mail-vc0-x236.google.com [IPv6:2607:f8b0:400c:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 409611A6EFB for <trans@ietf.org>; Thu, 11 Sep 2014 04:52:34 -0700 (PDT)
Received: by mail-vc0-f182.google.com with SMTP id le20so6059204vcb.27 for <trans@ietf.org>; Thu, 11 Sep 2014 04:52:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=aTDlCvDqAUk06r2jnYVmEUvl8Sn8q/iz9ybePtLcTRc=; b=E2hKL6RebJuKD/PXzyWXoIzswbC+GlrBS9j+hTqRcSi/HF88YVNOCNPhOAg6HBwbDD SiBQjhVS3FAYUlXwNKuZ9UehgR8YAQyZRGd/Lxa/2K/nVfxHOl64zqld0HT/nYWoV45e JrcN5VAduyzuSGKXFABOnRZ7/CCf70O2BPP2ZhU3vOtHZEPr3Iiq+N9GgdkRNwhC9zux j1pEbCLKZ3dtjdyGuHGRBLFbffBs0iGOBGVwYA9RjVatfTUb07Wv7k6GNMjLsBCAhaFo UxaRReIMMdC2yeq6IlS/FOOliVNJUjxaLk4oG2BDndKQE3IP7TwP1BFsK2VrMs9swRuD G+4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=aTDlCvDqAUk06r2jnYVmEUvl8Sn8q/iz9ybePtLcTRc=; b=HxB2PjQuKRttq5NP4X3Fv1H2FUxAeFCB8u6NpGUedrpmdqTOF6a4r1hSWks98MMMaR AoO8kdA9Npc888m7YdMbh7d8zSQYKx5I4e1KxAz+twclsdjHsy763oXbWqgRvGt3urA5 1pDGD837AKRQ0yNDFVc9kfiA1IMkCQVHkHAR7YluL4P7EiY280neduAKD5Ysw9ldJE/i KPkR1TyXG6mTOVsXujEVWdaqOCbMOIPiqXcTt3DaP9i8PVLWLiGVzGbZ+Mce3z/AJgIS Rqo0ehtQQsSyzws9eRul1OX8l2gZaIvDpbeUXXmUklF9qiDML9DDDSnLicey8RA4HJE5 1z/A==
X-Gm-Message-State: ALoCoQnP59x+/lEhT8B0tiwp6d+YOgBwZV90BXgfAoa2/Pe8qjo+sUQHJIC1Mrao7B9ohjTLlyBA
MIME-Version: 1.0
X-Received: by 10.52.116.132 with SMTP id jw4mr218286vdb.42.1410436353152; Thu, 11 Sep 2014 04:52:33 -0700 (PDT)
Received: by 10.52.2.138 with HTTP; Thu, 11 Sep 2014 04:52:33 -0700 (PDT)
In-Reply-To: <54118B4F.8000102@comodo.com>
References: <CA+i=0E5o_JEUquZpxhwiVKU3dvDTOHSf0fbeD7Nj7vrDwAkeSw@mail.gmail.com> <CALzYgEcEpegaBt6-w+Y7Hs6EODdHUe=CFA6W=H8Afd9gxZjaSg@mail.gmail.com> <541184B7.9070701@comodo.com> <CABrd9SRL+O+GUNT2hvc9ysKwjksG0DJ1C7oHHH-8es1npzELnA@mail.gmail.com> <CABrd9SRF1vhkWktjVXKzJNY2Zu01TK9gKA4SsDMp8--gRdtZng@mail.gmail.com> <54118B4F.8000102@comodo.com>
Date: Thu, 11 Sep 2014 12:52:33 +0100
Message-ID: <CALzYgEcbOJfNeB5F6h1wBVQUj-8gZgsV-_nzFZ=gn-WeQrCFrA@mail.gmail.com>
From: Eran Messeri <eranm@google.com>
To: Rob Stradling <rob.stradling@comodo.com>
Content-Type: multipart/alternative; boundary="bcaec547c999cef4b40502c8cd7b"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/R4BIj9jSN2VVzuPbadcmDa2WArg
Cc: "trans@ietf.org" <trans@ietf.org>, Erwann Abalea <eabalea@gmail.com>, Ben Laurie <benl@google.com>
Subject: Re: [Trans] Certificate and Precertificate extensions ordering
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 11:52:36 -0000
On Thu, Sep 11, 2014 at 12:45 PM, Rob Stradling <rob.stradling@comodo.com> wrote: > On 11/09/14 12:31, Ben Laurie wrote: > >> On 11 September 2014 12:27, Ben Laurie <benl@google.com> wrote: >> >>> On 11 September 2014 12:17, Rob Stradling <rob.stradling@comodo.com> >>> wrote: >>> >>>> On 11/09/14 11:56, Eran Messeri wrote: >>>> >>>>> >>>>> The poison extension is removed from the Precertificate prior to the >>>>> log >>>>> producing an SCT over it, so a client never has to know about it. What >>>>> the TLS client has to do is to remove the "embedded SCTs" extension >>>>> from the certificate prior to validating the signature. >>>>> >>>> >>>> Ditto for the future "redactedlabels" extension. >>>> >>> >>> That one appears in the cert, too, doesn't it? >>> >> >> Sorry, ignore that, it is in the cert but not the precert (though that >> seems like an arbitrary decision to me). >> > > I was ditto-ing Eran's second sentence, not his first. Sorry if I wasn't > clear. > > Yes, I think we could put the "redactedlabels" extension in the precert > too. Or, might those who wish to use the redaction mechanism also want to > keep secret the number of redacted domain components? > > Hmmm...if we do decide that the number of redacted domain components can > be revealed by the precert, then it might be simpler to scrap the > "redactedlabels" extension altogether and instead say that "(PRIVATE)" > always covers precisely 1 domain component. Then, if you want to redact 3 > components, you'd put "SAN:dNSName=(PRIVATE).(PRIVATE).(PRIVATE).mydomain. > com" in the precert. > > (To reduce bloat, we could shrink "(PRIVATE)" to "?". e.g. > "SAN:dNSName=?.?.?.mydomain.com"). > +1 to that - seems like it would significantly simplify the implementation of redacted domain name label: The risk of misalignment between the values in the extension that counts the number of redacted subdomains for each SAN and the actual SANs goes away. > > <snip> > > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online >
- [Trans] Certificate and Precertificate extensions… Erwann Abalea
- Re: [Trans] Certificate and Precertificate extens… Eran Messeri
- Re: [Trans] Certificate and Precertificate extens… Ben Laurie
- Re: [Trans] Certificate and Precertificate extens… Rob Stradling
- Re: [Trans] Certificate and Precertificate extens… Rob Stradling
- Re: [Trans] Certificate and Precertificate extens… Ben Laurie
- Re: [Trans] Certificate and Precertificate extens… Ben Laurie
- Re: [Trans] Certificate and Precertificate extens… Rob Stradling
- Re: [Trans] Certificate and Precertificate extens… Eran Messeri