Re: [Trans] making progress on precertificate discussion

Stephen Kent <kent@bbn.com> Fri, 03 October 2014 19:26 UTC

Return-Path: <kent@bbn.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E1D51A6FB3 for <trans@ietfa.amsl.com>; Fri, 3 Oct 2014 12:26:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.987
X-Spam-Level:
X-Spam-Status: No, score=-4.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hAS0GKlV2BEq for <trans@ietfa.amsl.com>; Fri, 3 Oct 2014 12:26:55 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC8081A0034 for <trans@ietf.org>; Fri, 3 Oct 2014 12:26:54 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:51275 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Xa8VQ-0000ra-NO for trans@ietf.org; Fri, 03 Oct 2014 15:27:08 -0400
Message-ID: <542EF87B.5010105@bbn.com>
Date: Fri, 03 Oct 2014 15:26:51 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: trans@ietf.org
References: <542E7EFC.4050202@gmail.com>
In-Reply-To: <542E7EFC.4050202@gmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/YezdkidnYh1DbrVau-ioYDUG5WI
Subject: Re: [Trans] making progress on precertificate discussion
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Oct 2014 19:26:56 -0000

Melinda,

> Hi, all:
>
> Problems around precertificate contents and formats were among
> the things we first discussed when the working group was chartered,
> and here we are, still at it.  There are basically two problems
> that fall under the "precertificate" rubric: 1) whether or not
> it's possible/reasonable to include a certificate's serial number
> (as this implies that the issuer will know in advance what the
> serial number will be), and 2) encoding/representation.  There's
> a general sense that the first *seems* like it ought to be a
> problem, but we haven't had CAs stepping forward saying that
> this would prevent them from being able to implement and
> would be unacceptably onerous for them.  Instead, we're hearing
> reports of at least one major CA solving the problem by
> simultaneously issuing precertificates and certs.
I'm confused by the last sentence above. One can issue a cert at the
same time a pre-cert is issued, but the cert does not contain the
SCT that will be generated by the log, so the parallel issuance seems 
redundant,
and I'm not sure how it helps.
> Given the lack of new information and lack of new technical
> arguments, I think we need to close the serial number aspect of
> the discussion and go ahead with continuing to include it in
> precertificates.  This is the IETF and nearly any decision can
> be revisited with the introduction of new information or a new,
> compelling argument.  But in the meantime we need to move forward,
> so let's close this one and move on to trying to close the encoding
> discussion.
I'd feel more comfortable on this topic if we had the results
of the CABF member poll I suggested. Is there any progress on
that front?

Steve