IETF Logo Mail Archive

Re: [Trans] path validation

David Leon Gil <coruus@gmail.com> Thu, 02 October 2014 21:02 UTC

Return-Path: <coruus@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A86A1A87A6 for <trans@ietfa.amsl.com>; Thu, 2 Oct 2014 14:02:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZdnJfQVYZEDZ for <trans@ietfa.amsl.com>; Thu, 2 Oct 2014 14:02:31 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C85CB1ACD5F for <trans@ietf.org>; Thu, 2 Oct 2014 14:02:30 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id b6so3008516lbj.31 for <trans@ietf.org>; Thu, 02 Oct 2014 14:02:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=9XHuXErWod12X82gsViBO0xSelrcLfVqjjpNREVp7M0=; b=gPZhw9B7gjN6Jo/bnBeJXZt/809YGorASUflGIyF9A2bO1ZoTJCt8QnS/rcpz8QeOg OGGYgPBbJAd0ZJ4kt1i98uqyA+f7gKn9ze9r9NP1o5CZUYwDY44YGqZnmGWSfv1P4JRv wDHm3bcWvPC7omtTnZaKEvZD3aL8YLqDt5jmhv4IaTihsWMWEDelnVgyHUodhPCFWM8i rY09UBRFxtOgq69Pou6ZOtBBsktBE55PNfpkNJFC/Hiq291n8kr/DXfzu+jzIxdGcOnb /ov7g7EP3IOrdcnqAXdAJUykNk2T94Theg3m3/25I6q3Zhe8+WrJvXPmwrPRW8RzSzQ7 sz1Q==
X-Received: by 10.112.151.99 with SMTP id up3mr1166857lbb.45.1412283749154; Thu, 02 Oct 2014 14:02:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.218.145 with HTTP; Thu, 2 Oct 2014 14:02:09 -0700 (PDT)
In-Reply-To: <542D79BB.1030900@bbn.com>
References: <54296FB2.1060109@bbn.com> <4262AC0DB9856847A2D00EF817E81139233695@scygexch10.cygnacom.com> <544B0DD62A64C1448B2DA253C011414607D1629838@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <4262AC0DB9856847A2D00EF817E8113923370C@scygexch10.cygnacom.com> <544B0DD62A64C1448B2DA253C011414607D162989C@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAA7UWsWr2p7t2uTrhiF9meU8htT=aWQT7qiBV6Xxg2E-GAwUBQ@mail.gmail.com> <542C0FCB.7010906@bbn.com> <CAA7UWsW8qM8jdOOjdEznmyW6iEcnQ58izuMCbZbRtHWSQmBp5Q@mail.gmail.com> <542D79BB.1030900@bbn.com>
From: David Leon Gil <coruus@gmail.com>
Date: Thu, 02 Oct 2014 17:02:09 -0400
Message-ID: <CAA7UWsXQEktRaPLccT8Qpp38V_W+uis2zNHaY-oRp9k9nnchXA@mail.gmail.com>
To: Stephen Kent <kent@bbn.com>, stephen.farrell@cs.tcd.ie
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/ZPzY2QXA2_Zgj-U_fEpn_FJ2r14
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] path validation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 21:02:34 -0000

On Thu, Oct 2, 2014 at 12:13 PM, Stephen Kent <kent@bbn.com> wrote:
>> On Wed, Oct 1, 2014 at 10:29 AM, Stephen Kent<kent@bbn.com>  wrote:
>> You are missing the point of certificate transparency.
>
> I may, since the definition of the goals seem to change over time.

That, in a nutshell, is exactly the point of certificate transparency.

CT should provide a log service in a way that is neutral with respect
to whatever requirements CABF or browser vendors may in future impose.

This is good for good CAs: It means that they will have the
flexibility to provide new services / cert types as soon as clients
will accept them. They won't have to, in addition, go through this
WG.[*]

[*] Requiring CAs/browser vendors to get this WG's blessing seems to
be the motivation of many of the proposals.

> I was suggesting that there might be benefits to checking at the time
> of issuance, principally in the case of pre-certs.

These proposals amount to this:

Let's spare a CA who lets their private key be used to sign something
it shouldn't have signed any reputational damage by requiring logs to
not report it. This is exactly the wrong incentive. CAs -- both root
and intermediate -- need to have security controls that ensure that
they don't sign malicious things.

> What CT does should or should not be ought to be justified based on an
> analysis of attacks and what CT does to address them, not on blanket
> statements that mis-issuance cannot be defined.

[and other Stephen]: > That's . . . better that a mere assertion that
"logging is good."

The IETF has previously standardized logging protocols. See, inter
alia, RFC 5424. Is consensus lacking for the idea that logging is
good?

v2.23.0 | Report a Bug | By Email