IETF Logo Mail Archive

Re: [Trans] AD Review of draft-ietf-trans-rfc6962-bis-30

Rob Stradling <rob@sectigo.com> Mon, 25 February 2019 11:51 UTC

Return-Path: <rob@sectigo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3276812F295 for <trans@ietfa.amsl.com>; Mon, 25 Feb 2019 03:51:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v-gBjKFTa0NH for <trans@ietfa.amsl.com>; Mon, 25 Feb 2019 03:51:05 -0800 (PST)
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-eopbgr720082.outbound.protection.outlook.com [40.107.72.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD3AD1200B3 for <trans@ietf.org>; Mon, 25 Feb 2019 03:51:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-sectigo-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VWcbsgKMSPUgBWE78EX//worAxNoNJO1zxRcYcrHIZ0=; b=LZApap5PXDU648tnaNp270GGGwSHn57EhATzHf8QBOQReu6T8yS7iDCf2UZP8BS4sDJaxH7NO/E2830ypzWo16kxHiwQIuK2WC0DTR3DNcEOjRdqUqlUdU5BKkXxIjRpWRkP1nO++cPRFG/ZnDpDYvhd8AH3t3P1503AHk+ZmPE=
Received: from DM6PR17MB2716.namprd17.prod.outlook.com (20.178.224.155) by DM6PR17MB2842.namprd17.prod.outlook.com (20.178.227.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.16; Mon, 25 Feb 2019 11:51:02 +0000
Received: from DM6PR17MB2716.namprd17.prod.outlook.com ([fe80::80e1:4c3b:1fac:22b9]) by DM6PR17MB2716.namprd17.prod.outlook.com ([fe80::80e1:4c3b:1fac:22b9%6]) with mapi id 15.20.1643.019; Mon, 25 Feb 2019 11:51:02 +0000
From: Rob Stradling <rob@sectigo.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: Paul Wouters <paul@nohats.ca>, Trans <trans@ietf.org>, "draft-ietf-trans-rfc6962-bis@tools.ietf.org" <draft-ietf-trans-rfc6962-bis@tools.ietf.org>
Thread-Topic: [Trans] AD Review of draft-ietf-trans-rfc6962-bis-30
Thread-Index: AQHUm8VH/tKW0BCiOkqCMmOx6Iywx6WOj/SAgAAWgQCAAp2zgIAABZuAgAAh6YCAAo4xgIBcz06A
Date: Mon, 25 Feb 2019 11:51:02 +0000
Message-ID: <b325961b-32fb-029f-3d93-4c152f409a68@sectigo.com>
References: <CABcZeBMuE-B20wfN=mCDNPEBOTff+iGMj=02AKHskWed=LhpSA@mail.gmail.com> <alpine.LRH.2.21.1812241815400.26801@bofh.nohats.ca> <CABcZeBNpBcN6aLK4q7RPLAt+y0w9Fs0aO6MntkvLZAKecBM=OA@mail.gmail.com> <alpine.LRH.2.21.1812261126520.1556@bofh.nohats.ca> <CABcZeBODVorWnZDqM+MMYCiorsSTwb1+zmfRccJv0haOuo9vpA@mail.gmail.com> <alpine.LRH.2.21.1812261348360.16589@bofh.nohats.ca> <d2440239-988a-af4e-5dab-65446373e2d2@sectigo.com>
In-Reply-To: <d2440239-988a-af4e-5dab-65446373e2d2@sectigo.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LO2P123CA0022.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:a6::34) To DM6PR17MB2716.namprd17.prod.outlook.com (2603:10b6:5:122::27)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a02:1788:4ff:1000:f68e:38ff:fe7a:a226]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: eff229ab-8444-4edd-ecd6-08d69b1783ff
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:DM6PR17MB2842;
x-ms-traffictypediagnostic: DM6PR17MB2842:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM6PR17MB2842C4C0CC0A12B2FE7F8CC3AA7A0@DM6PR17MB2842.namprd17.prod.outlook.com>
x-forefront-prvs: 095972DF2F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(346002)(136003)(39850400004)(366004)(376002)(189003)(199004)(305945005)(7736002)(966005)(31696002)(86362001)(386003)(6506007)(53546011)(478600001)(14454004)(102836004)(53936002)(6916009)(46003)(6246003)(105586002)(2616005)(476003)(106356001)(446003)(11346002)(256004)(14444005)(8676002)(81156014)(52116002)(81166006)(76176011)(186003)(99286004)(8936002)(6116002)(229853002)(97736004)(71190400001)(68736007)(6436002)(6486002)(4326008)(25786009)(54906003)(5660300002)(71200400001)(6512007)(6306002)(2906002)(93886005)(316002)(486006)(31686004)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR17MB2842; H:DM6PR17MB2716.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-microsoft-exchange-diagnostics: 1;DM6PR17MB2842;23:2LfDdc3XZiZFTHsw7kJIRaMNpc6NrFMEUdIXuMtUgE56CCtSWCf3XCxTo80/lAeQ4TTJPZm/ZmpEF5tRYbZ+yXfduZnrLHGuXEzfUS4d/wkxqgmLILyyBPSbtXV5OP8De1EI9Ung+oe32EHqdHNPXddXD8ITlJd4Zs0JSUd1zcZ/2meRP/p9nTMDHXO0okFECiByYB6Dd+IZBBo90IKbVm0XhSTV+/kcpYz39vZNVN0iTJz9EJh4ZLzlzVB6jU2C0sOvjCXlf9bHf4Sfm16zDZBS4JNr1UNwuxhIxboXlGlBb/Q5QQkbSCnQopxyrJjPoXlW5BxgHC+UBgpvmQWjT6x9Dr56ZzcuZViXE8trFNzx5pCuKEaZWkZj7TqHsdqsXijG5wt4x5Q20uWTrTHSvGBAMYFxJZHQsONgNKYpg3VwXfarrX9J1+JjsoKkshHI9qKQs86fCoEWCj3uJ4HdFEKuHJONfjko9tPz6nbAmS/Ix5cALWg9t3cNS4R2FEO9rEITTpbw58r1aqSzkhxibBAXLiP/0w3RjrLTVxYBG3TkEq69LsX8Tmy91i/ugYBCoOKe9Z9lWohzR6jDU2V3Barrk6W1BVfg12tByR6Ct+qTFl038NnwfY5jDA2LJNkllZ+yQmMJYjylVKD2mS5LaQiViLfFSnPKbOZudECqtreruk1RiqXO1oc8DaVNx6Burvkuc/ADBv6iG/62LxNe26Hl5+mEOEzpykd8LBkneAY1HK6jsuVy/8jNTQN9tXYQol8s0c4cbdCZndZBRtNoc/VcTy/1CD6TAFlyGlno3mKjU8BTn2diaRzELQA1N4bwoG6EYsQzBwvRWWuNoyF7UGD/ok/gF0t5y6fWrhB5qV0kcFg4lNBoHUWEPMfx/0SCZ2ERD2BsO6EWp5eXBxQC9L8fSGHMKL02vtFUFA+yf9KWAS5RMZUuA0hE5rLfqh8v1WI63YK4FmpFyYyg4SOKxYfyPHncvI7PbhvB5DH89/X5Q/jCeRIdvQDxHCPEm1oCsNL/IJhV4T8qZIR3EqMKpZGOxxg+mCacHGOHxXijjhQSjK2ZnJWNsSH4uKUVtFo8ymUeo9ygdAe6X6oPl7fmmZrE/bUzXSD7hY2dq1ZWs5Q0hAf4rOzvLrtKcOppniOt42ZYXMKZhYis/OFPz9V5MelP3BMUDQ6KKfo3ohctdTjz9m95/YjD0DNxZF8ivkCw2TQ16Lyo7J78d4nkNAQeJrf3qt19zu7Fw3g8xUATY1KfTRxeMJIjvKoR7wPVlFyXES4p6UxTOUVH2ZbFb9LR8Uy117lV9ySAqod+1Ot9JjY=
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: WHGIRV6T6wKsB/6a1EL12AcEv+YH2tOTe4zqrG7z85jVdkcDw7DyyG6PhM05DrP+r8Qt+wvZlQFZaJpvOKJ/L6guW84qjHRLOhZpMCFtHpTTQOITVIx63J0o9j/TB4OSjxZn0c/JnbGE0dS8Zoq8h1hCpqH2CbeWlw5q8TCSIuDjJENsCFpIkaslfH2lEk+K4wO9OWWcfwGKc671deVpNC8c0rOmpPpc9mJSpGp8XjcVBfKR4obx2lmnr+aCp+1MqulXtaPWPD0A7zU+zxToco6KAyMgNo1+3dCdGI6SZePs4jDjpmhLGyMpkYDGllE8sjLxLQ5a/5HNvn6j+M2I5MmSJW/FLaSQt6KoMhmJafegOOArWo9fq8VM93o7XaaDCF2JNehB9Cofris7LKkfTkJsUjamywZ/7aER/+M96YY=
Content-Type: text/plain; charset="utf-8"
Content-ID: <DAF9EB8AD9BEE04F931E1BD0F0685C24@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: eff229ab-8444-4edd-ecd6-08d69b1783ff
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2019 11:51:00.4043 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2842
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/UftnU-yiLZJzn4VU6_kftxl0iA8>
Subject: Re: [Trans] AD Review of draft-ietf-trans-rfc6962-bis-30
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 11:51:08 -0000

EKR,

We just published -31, which we believe addresses all of your A-D review 
comments.  Please let us know if there are any other issues to address 
before 6962-bis can be sent to the IESG.

Thanks.

On 28/12/2018 10:33, Rob Stradling wrote:
> On 26/12/2018 19:31, Paul Wouters wrote:
>> On Wed, 26 Dec 2018, Eric Rescorla wrote:
> <snip>
>>>        >       > >      In addition to normal validation of the server
>>> certificate and its
>>>        >       > >      chain, CT-using TLS clients MUST validate each
>>> received SCT for which
>>>        >       > >      they have the corresponding log's parameters.
>>> To validate an SCT, a
>>>        >       > >      TLS client computes the signature input by
>>> constructing a "TransItem"
>>>        >       > >      of type "x509_entry_v2" or "precert_entry_v2",
>>> depending on the SCT's
>>>        >       >
>>>        >       > How do I proceed if I have an invalid SCT but by
>>> policy I would accept
>>>        >       > the certificate if the SCT had been omitted.
>>>        >
>>>        >       The section quoted tells you what to do with invalid
>>> SCT's, namely fail the validation.
>>>        >
>>>        > This text does not tell you to fail validation of the
>>> certificate; it tells you you MUST validate all the SCTs and then
>>> doesn't tell you how to behave if one does not validate.
>>>
>>>        I believe the actions of what to do on validation failure are a
>>> local
>>>        policy. It could be a total rejection, a popup etc. While
>>> 6962bis gives
>>>        guidance for CT-using TLS clients, it is not a client specification
>>>        document. See also: https://trac.ietf.org/trac/trans/ticket/15
>>>
>>>
>>> But there is a MUST here for clients, and so again, the boundaries of
>>> that MUST need to be clear.
>>
>> The MUST tells you to validate, not to tell you exactly what to do when
>> validation fails. So it tells you that you cannot skip validating the
>> 3rd SCT even if you only needed two according to your client policy. So
>> I still do not understand why you think this case is a problem.
>>
>>>        >       I suspec your real question is if that is the right
>>> thing to do when
>>>        >       SCT's were not mandatory as policy for the CT-using
>>> clients?
>>>        >
>>>        > No, that's not my question. Consider the case where my policy
>>> is that there must be 2 valid SCTs and the server supplies 3 but only
>>> 2 validate. I'm required to validate all of them, but I could
>>>        conform with
>>>        > this text by validating all three, logging the failure, and
>>> moving on.
>>>
>>>        That behaviour is up to the client implementation and/or local
>>> policy.
>>>
>>>
>>> Great. Then the text should say that.
>>
>>> I'm not asking for a complete client specification. What I am asking
>>> is that every normative requirement in this specification be
>>> unambiguous, and I do not believe that this one is.
>>
>> I think it does, but I guess it won't harm to make it more explicit.
>> I'll leave that up to the authors.
> 
> This is already covered by section 8.1.6 "Evaluating compliance", but...OK.
> 
> Proposed text:
> https://github.com/google/certificate-transparency-rfcs/pull/306
> 

-- 
Rob Stradling
Senior Research & Development Scientist
Email: rob@sectigo.com
Bradford, UK
Office: +441274024707
Sectigo Limited

This message and any files associated with it may contain legally 
privileged, confidential, or proprietary information. If you are not the 
intended recipient, you are not permitted to use, copy, or forward it, 
in whole or in part without the express consent of the sender. Please 
notify the sender by reply email, disregard the foregoing messages, and 
delete it immediately.

v2.23.0 | Report a Bug | By Email