Re: [Trans] Fwd: Certificate Transparency with Russian GOST algorithms

Rob Stradling <rob.stradling@comodo.com> Tue, 18 March 2014 14:47 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 547D91A037C for <trans@ietfa.amsl.com>; Tue, 18 Mar 2014 07:47:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.29
X-Spam-Level:
X-Spam-Status: No, score=-1.29 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZ4mjelUDKnf for <trans@ietfa.amsl.com>; Tue, 18 Mar 2014 07:46:57 -0700 (PDT)
Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) by ietfa.amsl.com (Postfix) with ESMTP id 8E2EF1A036E for <trans@ietf.org>; Tue, 18 Mar 2014 07:46:56 -0700 (PDT)
Received: (qmail 11764 invoked by uid 1000); 18 Mar 2014 14:46:47 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Tue, 18 Mar 2014 14:46:47 +0000
Message-ID: <53285C57.2090202@comodo.com>
Date: Tue, 18 Mar 2014 14:46:47 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Ben Laurie <benl@google.com>, Melinda Shore <melinda.shore@gmail.com>
References: <531F530B.4040703@tcinet.ru> <531F57B2.6030505@gmail.com> <CABrd9SSOwGC8LKF5viuwoFsjcTMQjra-TJdyWU6g2mVNk_5WOA@mail.gmail.com>
In-Reply-To: <CABrd9SSOwGC8LKF5viuwoFsjcTMQjra-TJdyWU6g2mVNk_5WOA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/XNgeHpXDY2Y2zSQhd_JfdyshQAc
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Fwd: Certificate Transparency with Russian GOST algorithms
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 14:47:00 -0000

On 18/03/14 14:20, Ben Laurie wrote:
<snip>
> It seems to me there shouldn't be any difficulty accommodating GOST
> like this

The GOST algorithms aren't currently in the TLS SignatureAlgorithm and 
HashAlgorithm registries [1].  Since RFC6962 can only reference 
algorithms that are defined in these registries, this looks like a problem.

This I-D [2] (see section 6) tentatively requested adding the GOST 
algorithms to these registries, but it expired long ago and AFAICT never 
progressed to RFC status.


[1] 
http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-16

[2] http://tools.ietf.org/html/draft-chudov-cryptopro-cptls-04

> - I guess we'd have to add the rule that non-GOST
> certificates MUST NOT use GOST logs. Not sure whether we should
> require the opposite, though (i.e. GOST certificates MUST NOT use
> EC/SHA logs)?

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online