Re: [Trans] Martin Duke's No Objection on draft-ietf-trans-rfc6962-bis-39: (with COMMENT)

Ryan Sleevi <> Thu, 29 July 2021 21:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5C2333A0408 for <>; Thu, 29 Jul 2021 14:10:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CU0EAH34ziuz for <>; Thu, 29 Jul 2021 14:10:36 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E45B93A03FF for <>; Thu, 29 Jul 2021 14:10:35 -0700 (PDT)
Received: by with SMTP id e21so8479696pla.5 for <>; Thu, 29 Jul 2021 14:10:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fhgsaYiEE2CGcnm6gNb5FKsTNHHHqSmx0ZQkN/X3JJ4=; b=tn+7qshkgKamDNDEs/pxqjuxT5XR0KNZbV/wVPf79zzyo8mZPrXVcFpxB1uhiOTwQV zrU7ZJ6zcIIC0c9JOUpjS0ob353v1oCz5PBTlqpoSmcD4+Cn5BwcxnmyaFNP0Bfp0qM0 MoQNcVV20aPRs4bG+jnBESIf0Z6Om7BEuvP2wVKrRVFxQEZSLS7bPKycd6cMaw5VKfIA LFzo5SeZ77lSBgTOSG+qFEQ3i8u6rDwJJHn34/Qn7YwgLhGRn0doL2eRepBq9XzxDaFT wsYXjUhlQclt/XZu+BvU/pDXWUeNJfzZUibvYo9QK8fHGeuvEiCMjnhn0pT2dFNCniyP dcIg==
X-Gm-Message-State: AOAM532jiVsmKHeOX9GuxGNqCJlwbAGIAWptrNfYMpjp+CnPzV34xo4H ZgOg58LyZ/40UVIKqJlZVhA5ZUVSwn8=
X-Google-Smtp-Source: ABdhPJzvYj8DsqTYBiGeW5GbJf9EKhOcWhfmTLxrQr92xuNw8GXB8cJP+F5BM8R5N9z3qzrdxAWSGg==
X-Received: by 2002:a17:902:b788:b029:12c:2888:9589 with SMTP id e8-20020a170902b788b029012c28889589mr6481828pls.60.1627593034936; Thu, 29 Jul 2021 14:10:34 -0700 (PDT)
Received: from ( []) by with ESMTPSA id ge21sm4444511pjb.55.2021. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 29 Jul 2021 14:10:34 -0700 (PDT)
Received: by with SMTP id ca5so12037327pjb.5 for <>; Thu, 29 Jul 2021 14:10:34 -0700 (PDT)
X-Received: by 2002:a63:cd4d:: with SMTP id a13mr5445667pgj.364.1627593034614; Thu, 29 Jul 2021 14:10:34 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Ryan Sleevi <>
Date: Thu, 29 Jul 2021 17:10:23 -0400
X-Gmail-Original-Message-ID: <>
Message-ID: <>
To: "Salz, Rich" <>
Cc: "" <>, Martin Duke <>
Content-Type: multipart/alternative; boundary="000000000000aad03305c8498807"
Archived-At: <>
Subject: Re: [Trans] Martin Duke's No Objection on draft-ietf-trans-rfc6962-bis-39: (with COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Jul 2021 21:10:41 -0000

On Thu, Jul 29, 2021 at 4:30 PM Salz, Rich <rsalz=> wrote:

> The signature algorithm is unlikely to change until we have to deal with
> post-quantum signatures, and that is years away. As for the key being
> rotated, this is not a short-term WebPKI TLS key, but rather a long-term
> data signing key. So far none of the logs being used (I hesitate to say “in
> production”) have had to do either.

I'm not sure this is correct, Rich? Logs regularly rotate IDs; presently
annually, but it's reasonable to anticipate more frequently as the
size/performance tradeoffs, precisely as the way of pruning the storage.

For example, it's a policy requirement for present CT enforcing agents that
logs be temporally sharded, such that a log does not accept certificates
that expire after a defined point, so that the log can be retired after
that point.

Effectively, the log ID space is as wide as the private key space. The
switch from (key hash) to OID largely removes the dependency on both the
hash algorithm and can reduce the size of the ID. The existence of the
registry is simply to allow for smaller encoding than using a Private
Enterprise Number, as stated in the draft. That is, the registry is simply
a form of compression :)