IETF Logo Mail Archive

Re: [Trans] Write-up of the "Strict CT" variant

Andrew Ayer <agwa@andrewayer.name> Wed, 24 May 2017 19:41 UTC

Return-Path: <agwa@andrewayer.name>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 316F7126C23 for <trans@ietfa.amsl.com>; Wed, 24 May 2017 12:41:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewayer.name
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SAwDtI1m1hRd for <trans@ietfa.amsl.com>; Wed, 24 May 2017 12:41:11 -0700 (PDT)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [IPv6:2600:3c00:e000:6c::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 235601270FC for <trans@ietf.org>; Wed, 24 May 2017 12:41:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=beanwood20160511; t=1495654870; bh=cmjyo+EatRmgE5QfFclH7o+tpdTlM5PvDvVTCK330p0=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=bK2yGFYYa3Gv92KzD7auW9oNIeSMapwiYTRwACJlTZG7q1Ungtcykbzbq+iMjbXb7 L/ocG+2jxWdsIVscrWJdECqxMGRopSmDmfkd+RZvaHtF7cEkzdUyRNJZ6YODv4ab+A 6/Q8dws3AKPlrmIxe/4mTyXrVoIccZgedlb97HIIlKehQwsVjAx3Y00E1A+41e4py/ uyDoHIo3VN4EHCM7Jot50trYv3OmOPP2QgjtYyy09X/lijdU6E0V+1y+/KKes0+wLc WmnlLpKbZZfpy69wOvA8hvOf1QMjHBxfVRnE5rPhqLDNjHFNnwasxx63+EXz3ctHCY kNEfysRjZU5dA==
Date: Wed, 24 May 2017 12:41:09 -0700
From: Andrew Ayer <agwa@andrewayer.name>
To: Eran Messeri <eranm@google.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, "trans@ietf.org" <trans@ietf.org>
Message-Id: <20170524124109.52359e9ed92cdb5cf4be5833@andrewayer.name>
In-Reply-To: <CALzYgEfkatrhUi_vVkc3P55yd0-82OkaZcv7Sx7RytKvh4G7KA@mail.gmail.com>
References: <CALzYgEeUCmj4BgY7uKdMnsvTcbvfAunquuqHxD7FxuzZxY1=Fg@mail.gmail.com> <CAErg=HHLVyTS=PxbUWsNQpzkc+S4SS9t5Bz3KHm1oFmJiyf+dg@mail.gmail.com> <CALzYgEfkatrhUi_vVkc3P55yd0-82OkaZcv7Sx7RytKvh4G7KA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/YlMxjsJxFRVyyBdaundBDcjJ30s>
Subject: Re: [Trans] Write-up of the "Strict CT" variant
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 19:41:12 -0000

On Tue, 23 May 2017 14:43:09 +0100
Eran Messeri <eranm@google.com> wrote:

> >> [6] In theory, a new certificate, with the inclusion proof embedded,
> >> could be issued - but it may run afoul of the restriction on issuing
> >> different certificates with the same serial number.
> >>
> >
> > Isn't that the whole reason 6962-bis moved to the (terrible) CMS
> > structure? :) That CAs were concerned that precerts & certs constituted two
> > logically distinct X.509 certificates? If that was to be introduced, it
> > would make sense to simply return to the critical extension, since we'd
> > have lost the main argument for using CMS :)
> >
> Yes :( I mention that as an unlikely option.
> I'd like to return to the critical extension too, the main concern brought
> against it (AFAIK) is some TLS libraries that would accept precerts as
> valid X.509 certificates.

Is that such a bad thing?  RFC6962 and RFC6962-bis are both quite clear
that a pre-certificate is a binding commitment by the CA to issue the
final certificate, and that misissuance of a pre-certificate is
equivalent to misissuance of the final certificate.  So what's the
difference between a client accepting a pre-certificate and a client
accepting the final certificate which the CA is bound to issue
anyways?  The only difference I see is that one has embedded CT
information and the other doesn't.  The pre-certificate is not
inherently untrustworthy.

CT would be simpler and more flexible if it didn't have
pre-certificates, and instead CAs were permitted to re-issue
certificates with duplicate serial numbers as long as the only change
was the addition/modification of the Transparency Information
extension.  I suggest keeping this in mind for RFC6962-bis-bis.

Regards,
Andrew

v2.23.0 | Report a Bug | By Email