Re: [Trans] Cross-certificates and log servers
Ben Laurie <benl@google.com> Wed, 02 July 2014 11:34 UTC
Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0DAE1B28F3 for <trans@ietfa.amsl.com>; Wed, 2 Jul 2014 04:34:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.03
X-Spam-Level:
X-Spam-Status: No, score=-2.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fPNuXjLfa9ZR for <trans@ietfa.amsl.com>; Wed, 2 Jul 2014 04:34:09 -0700 (PDT)
Received: from mail-qc0-x22e.google.com (mail-qc0-x22e.google.com [IPv6:2607:f8b0:400d:c01::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5A581A0045 for <trans@ietf.org>; Wed, 2 Jul 2014 04:34:09 -0700 (PDT)
Received: by mail-qc0-f174.google.com with SMTP id x13so9474152qcv.5 for <trans@ietf.org>; Wed, 02 Jul 2014 04:34:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=S+zRSIbXWnb8KoulobBmYkCJAgeUZVhMVaSbuEA1Ens=; b=eHNkeUgE36qFmWDA2Ky07bwZ4ouFFKb3sBHyGyQxmXVbsnRfay73emry8vynBcdG2/ bF6Hi2Av3X7KnaD0NIMpkvvFzVyW47sjFysqkqPd7m9xv79XsYE8ObFQVoRMSbO4IBOK jMVrC3pUqdlEDkfrz+7/Kt+liZTNmHVjbZXISLMrN1xIUYO9R8t+YCz5A+Ol7A53DJOs AG7TFzamChNvWepknoBppuU4gZWaz14rQBgboe+hyMAGSvAHVm/v5YIOQ+MMb+t2ZtgK oT5JFfy9mLLxfv7UJfgIGZmwXA7jL6pz7WWiGMJ6OTP4n1Qrs2GHlSE4m/ygPmVZ1xUe KFGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=S+zRSIbXWnb8KoulobBmYkCJAgeUZVhMVaSbuEA1Ens=; b=LIUoEv0cn3ZOunoDfqtPLCuOFR+HncQbfZFmflGj3OuQvF3y5CMYexhBNXkB1owPUC yiIkl2QemrqoBsPUfkfk2sX9a2dqOPBJcYxu3czM/3qzUvF1GF0qoC9+0SGXgLyHIJ03 YVOQDL0xmMkk6XdZ4StV/q+W/SyskrmuEGU72tddrNd9U34b0Iv5nnhKIiCH+YsNylVp wnlf1Xr/GXI/YNLL2fNOEcnDbhZ+GE4/U9rR/E0bxkXAIlgCtbG8ecpL/sIhz0M3OIYD tOa+huaDUzw9gNWCxfu0dD4cpzSkVWDNFzRoPU2BJZXBYvT4oJDK7GsO4e85d9SaxiAi jbAg==
X-Gm-Message-State: ALoCoQlV5z2DvCmaum7MXzXRkz691C8YNcw6ffXF+4q1Gl21BM5lSaFAmfA2AMoNayr/cfn0fe2c
MIME-Version: 1.0
X-Received: by 10.224.151.135 with SMTP id c7mr77858611qaw.95.1404300848710; Wed, 02 Jul 2014 04:34:08 -0700 (PDT)
Received: by 10.229.100.72 with HTTP; Wed, 2 Jul 2014 04:34:08 -0700 (PDT)
In-Reply-To: <CALzYgEcgRzm=KHvGLGCz0UzU+g5oEShSvjRiFm1q564Cgo+tnw@mail.gmail.com>
References: <544B0DD62A64C1448B2DA253C011414607CCD4149A@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CALzYgEcgRzm=KHvGLGCz0UzU+g5oEShSvjRiFm1q564Cgo+tnw@mail.gmail.com>
Date: Wed, 02 Jul 2014 12:34:08 +0100
Message-ID: <CABrd9STOJ7iO2qUaFuCeqy1JXRUqhqy8uBKkwu27xHdK-_zjJQ@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Eran Messeri <eranm@google.com>, ct-policy@chromium.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/RgduWJrVW694rjQ0WY00sRzygUQ
Cc: "trans@ietf.org" <trans@ietf.org>, Rick Andrews <Rick_Andrews@symantec.com>
Subject: Re: [Trans] Cross-certificates and log servers
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jul 2014 11:34:15 -0000
I've added the ct-policy mailing list, which might be a better venue for this question, at least for Google's logs. To be clear, I don't think we can dictate what roots logs accept, though certainly the advice is "all roots accepted by common browsers" - which is a little vague, but hard to nail down further. This is certainly Google's current plan. On 2 July 2014 11:33, Eran Messeri <eranm@google.com> wrote: > > > > On Tue, Jul 1, 2014 at 11:45 PM, Rick Andrews <Rick_Andrews@symantec.com> > wrote: >> >> Symantec (and I suspect other CAs) would like more information about what >> roots will be configured into log servers. >> >> Root Certificates: >> The current spec includes a call to Retrieve Accepted Root Certificates. >> Should we infer from that that the list might change over time? We expect >> new roots would be added, but would roots ever get removed? For example, >> browser vendors are in the process of removing 1024-bit roots from their >> trust stores, and in the next few years we expect that SHA-1 roots might be >> removed too. Would log server operators also phase out such roots? > > The purpose behind requiring that submitted certificates chain to a set of > accepted root certificates is to avoid the log being flooded with > uninteresting certificates (e.g. self-signed certificates). To that purpose > I do not think it matters if obsolete roots are removed because the log > should not get submissions chaining to these roots. Equally, it doesn't matter if they're still allowed - unless they suddenly become spammy. >> Once there are more than three log servers, we expect to decide up front >> which log servers we will contact for SCTs. We do not expect to dynamically >> query each log server to confirm that it still trusts our root, just before >> attempting to log a certificate. Is that a valid assumption? > > Yes - How a log operator changes the set of roots its log accepts is not > specified in the RFC, but I expect log operators would communicate such > changes beforehand. Exactly so. >> It would be preferable for the log server operator to publish a list of >> roots and commit to supporting those roots until the CA informs the operator >> that the root is no longer in active use, and all certificates chained to >> that root have expired. > > >> >> >> Cross-Certificates: >> We have been providing cross-certificates to customers to deploy so that >> their certificate could chain up to a 1024-bit root (for use in older >> browsers without our 2048-bit roots). If the cross-certificate is ignored, >> the end-entity cert chains up to one of our 2048-bit roots. We expect to >> continue using cross-certificates until we determine that their use is no >> longer required. We’d like to be sure that the use of cross-certificates >> will not cause any problems for log servers. For example, take the case >> where we log a certificate we’re about to issue (or have issued) and we >> include the cross-certificate in the chain sent to the log server. Then the >> customer (for whatever reason) decides to also send their certificate to the >> log server, but without the cross-certificate. Will the log server see this >> as the same certificate, and return to the customer the same SCTs? Or will >> the certificate get logged a second time? If the latter, will that cause any >> problems? > > The SCT is over the certificate itself, not the entire chain, so that should > not be a problem. As mentioned above, the log checks the chain just to > prevent it being spammed. Not just for that reason: also so that there is a clear path for revocation, should the certificate be bad in some way. > It shouldn't matter to the client if it gets the same SCT or not - as long > as the log provides proofs for all SCTs it produces. The issue here is that > to get a proof from the log the client has to provide the hash of the leaf > in the tree, which is calculated over the certificate + timestamp from the > SCT. If the log returns different SCTs from the same certificate it likely > means it logged the certificate multiple times. Either way the client should > get a valid inclusion proof. In general, our log is unlikely to produce more than one SCT for the same certificate, but it can happen (that's a result of engineering tradeoffs for reliability vs. availability). > As a side note, it is beneficial if log operators keep obsolete roots in the > set - that way it's easy to explain why a certificate was added to a log in > the first place (since the chain that was in place when the certificate was > added is never changed). >> >> >> -Rick >> >> >> _______________________________________________ >> Trans mailing list >> Trans@ietf.org >> https://www.ietf.org/mailman/listinfo/trans >> > > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans >
- [Trans] Cross-certificates and log servers Rick Andrews
- Re: [Trans] Cross-certificates and log servers Eran Messeri
- Re: [Trans] Cross-certificates and log servers Ben Laurie
- Re: [Trans] Cross-certificates and log servers Matt Palmer