Re: [Trans] CT for purposes other than TLS server certificates
"Devon O'Brien" <devon.obrien@gmail.com> Wed, 18 September 2019 19:32 UTC
Return-Path: <devon.obrien@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98CBF120B5F for <trans@ietfa.amsl.com>; Wed, 18 Sep 2019 12:32:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UuZJBvR8RBKw for <trans@ietfa.amsl.com>; Wed, 18 Sep 2019 12:32:17 -0700 (PDT)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2F5F120B32 for <trans@ietf.org>; Wed, 18 Sep 2019 12:32:16 -0700 (PDT)
Received: by mail-wm1-x32d.google.com with SMTP id a6so1436601wma.5 for <trans@ietf.org>; Wed, 18 Sep 2019 12:32:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=agXX0OBuKdniY/KAduti+ynj+g4cmk2MJcfEsnCSAMg=; b=M10wm7xg1mGt60PVmN60isG/s9M68IUCOsCGVy/3FiFhw4rMbi8T180k6FyLY/7sgy kN9M0rwU+85koSfIKzS2Zr1fI2vXmnyZkCCn3UnpUIly3gXSIbWjxH1cSFoZC88hy5pu 9i5h7G4yw2K8/rgSWHC2pRKBFC5YUNlg5J8iwMK5TzcmvxrswDpI/pyG6OriDTmLRMNg rCAyobBXq8Jf/EMSwWj2z5ya71jEgClpDm/fVVUs5//XXx58ImEv+gwlZX2xYuW+RRoQ O9GH7Pk2wrIvyyICRvjN04qRRvkHXXOQuB+QCGKjuZOgUKqxbjM31zP7wR/IFhuyfoih q6Qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=agXX0OBuKdniY/KAduti+ynj+g4cmk2MJcfEsnCSAMg=; b=uRfkKhav853yofuYJjkahvY0PocY5/VMgn2ojBjYeFumLLgEEZfhdS9I67TrtwX5J2 a7/YTGbbOUiVnnu4/1MtIYuC2XGokR3Q4BsO/rXMt+ciMeDfq6SCB7lW/+Xqw7crDuZm s85TTxN6D8ixqCqkLtvj3TKK9l5dObylURUUqVKKTS6F2svdwvrszr2w3ISrdBIgyU5W JTum2CyydvrkRXCalpk/MemEknmrF5pSG8JZEW360AOsmiB6hXbzTdY+KTeoM2moSxPp D0YcU9HxFEaKIO0E65W5McZHaD+FLXopJj7dsXkGok4QuwaDIqRqARB4lgjmoUriOOrS 5qSQ==
X-Gm-Message-State: APjAAAWom8nRVTIzx3UQTku3cWKji8MTbSX1C69UjEqI/TIz75zFPPKp M4I/zNq9j9Zf88cx0174Yjf+oGjtvCWfFMOR9t4=
X-Google-Smtp-Source: APXvYqypB7n76krElNVqMgj/OPnssNFvdnNs7ahZazVLnL1GSsBXp0o2XntxgUk1aFfkbuQQVuvrBLRTP+ZQGxEGM18=
X-Received: by 2002:a05:600c:291c:: with SMTP id i28mr3941900wmd.98.1568835135133; Wed, 18 Sep 2019 12:32:15 -0700 (PDT)
MIME-Version: 1.0
References: <16d453a3a78.28da.143536817a5040733b8fb57db4e639f1@truepic.com> <CAPpiK7UuVj_dYUhCUQPiP_42fryPB0x74RtVJ8gHrhtOwiOEtw@mail.gmail.com> <CALfTr+rVUJAhZkkYc=4UOQHraHfya+P6H0RdH1tEUCs5uvagTA@mail.gmail.com>
In-Reply-To: <CALfTr+rVUJAhZkkYc=4UOQHraHfya+P6H0RdH1tEUCs5uvagTA@mail.gmail.com>
From: Devon O'Brien <devon.obrien@gmail.com>
Date: Wed, 18 Sep 2019 12:32:03 -0700
Message-ID: <CAPpiK7UWOU46NqkkOYEsdAWPP2JXfBbAnCwRUrUvgQ_i23dEew@mail.gmail.com>
To: Taavi Eomäe <taavieomae@gmail.com>
Cc: Sherif Hanna <sherif@truepic.com>, trans@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f100c20592d8e43e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/RV5P8ubN_PwVJ_lefp2lUrIWk5E>
Subject: Re: [Trans] CT for purposes other than TLS server certificates
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 19:32:19 -0000
That is correct. While this is slightly drifting out of the scope of TRANS and the RFCs and into user agent policy, there is not currently a technical limitation on which types of leaf certificates are logged to existing CT Logs, except that they must chain to the set of roots specified by the Log. Chrome, for example, also allows a Log to reject a certificate logging request if the certificate is expired, revoked, or expires outside of a certain time period if such a period is specified by that Log. Speaking for one user agent only, I can say Chrome is considering requiring Logs verify that a certificate is a TLS certificate (expressed via EKUs) in order to be logged; however, there are myriad ways in which PII or sensitive information can be added to even TLS certificates. User agent CT policy is evolving over time, and if embedding such information becomes a serious issue, it will be addressed via updates to that policy. -Devon On Wed, Sep 18, 2019 at 11:40 AM Taavi Eomäe <taavieomae@gmail.com> wrote: > > 1. Many other certificate types contain PII or other information that > various laws require a service to be able to take down upon request, which > conflicts with the append-only nature of CT. > > Just wanted to add one thing about this benefit: I am pretty sure even > current CT logs allow appending certificates that contain PII and conflict > with the append-only nature of CT. > >
- [Trans] CT for purposes other than TLS server cer… Sherif Hanna
- Re: [Trans] CT for purposes other than TLS server… Devon O'Brien
- Re: [Trans] CT for purposes other than TLS server… Taavi Eomäe
- Re: [Trans] CT for purposes other than TLS server… Devon O'Brien