Re: [Trans] CT for purposes other than TLS server certificates
"Devon O'Brien" <devon.obrien@gmail.com> Wed, 18 September 2019 17:33 UTC
Return-Path: <devon.obrien@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9AD1120A9A for <trans@ietfa.amsl.com>; Wed, 18 Sep 2019 10:33:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tw2VFAfzNKsF for <trans@ietfa.amsl.com>; Wed, 18 Sep 2019 10:33:21 -0700 (PDT)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6C7612097D for <trans@ietf.org>; Wed, 18 Sep 2019 10:33:14 -0700 (PDT)
Received: by mail-wr1-x42a.google.com with SMTP id v8so318175wrt.2 for <trans@ietf.org>; Wed, 18 Sep 2019 10:33:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WmgrvCy1LXyX7aMH2bvxJs7tSfiaIfOOcn9OYW7eqHg=; b=m3dgMHtPQRFuNkt4DGwQVJR3TSLAkWSdT/7Ub+3iOL4DP37ixqLW/rJYIos4/13KS/ hUSlWJGxezRxlCnirzrBG7WxONU6YjoKXu+BDZuC9GZySFNyp4gu5jPYKI5p9k7VNQI4 VqtTea9UPCGY6mv9HfQaIC+/WtRWDCRP1JzbkfJeKvN4H1Au+e5ntbgkg8WRq64WPtHJ pHiT2B4/277eLutTCpF0rZVHdZNEYSKOT21nEFb+WCD3QFMrjoSr2BY6QbgSDrIjRpYT WKjJWEH+P0G5VNgor91HrduXdtvpQujTnyw1zj2wrllTS7qswmAglmQtsomgMVkN3YBY iOZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WmgrvCy1LXyX7aMH2bvxJs7tSfiaIfOOcn9OYW7eqHg=; b=aBrI7DWE4EMQplrSI4EqbK1vtFV2LgoLldm3xwnjYbd97s2votsuiU2TA6SoPG2COK ze/v48EdZPoULA8tNJ++9S1qnFJiMlQRgyqOIlatiV6Q0q50ADEQ+0mLRLlWhkYtfuCs kLiU9UbFilAFMi3jNTKlemoRzRjqA+Pzr8myQigi/b+aghgGl7hE95K2D9vf/1QPo7vj rrOpNPNY55EnqembmdHazNsDUWCRdDzNLufh9Sw02t/VdQQeZyskLki7zsDphnh3eEmi 1LXh+KrBgQfZG3rY8KRsNWj6jrXhUyoZ3ObAYdd+pKGcyOSctiwGXJAG60xuxiX5iv+I LkoA==
X-Gm-Message-State: APjAAAX0NHoWhbKURjFIETqlgOYGhlAktrBbCZrTSscguVNV/dNc7fH3 wSNaAYa0095xK1ucHMmvpJshNjPpu4nOGVBV/9M=
X-Google-Smtp-Source: APXvYqwuHq0SHi/Lmmg2RwtWWmu/l/cSd8Ni3dZHchtgTLqrVe987cXB+0q965BpiwP8em8eZnfyN3/0hiUaIET5DgA=
X-Received: by 2002:adf:cf0c:: with SMTP id o12mr2839007wrj.30.1568827992948; Wed, 18 Sep 2019 10:33:12 -0700 (PDT)
MIME-Version: 1.0
References: <16d453a3a78.28da.143536817a5040733b8fb57db4e639f1@truepic.com>
In-Reply-To: <16d453a3a78.28da.143536817a5040733b8fb57db4e639f1@truepic.com>
From: Devon O'Brien <devon.obrien@gmail.com>
Date: Wed, 18 Sep 2019 10:33:01 -0700
Message-ID: <CAPpiK7UuVj_dYUhCUQPiP_42fryPB0x74RtVJ8gHrhtOwiOEtw@mail.gmail.com>
To: Sherif Hanna <sherif@truepic.com>
Cc: trans@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003bc3270592d73b0c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/_IuPtD_lzbdY8ARe9pgA_xuOBWA>
Subject: Re: [Trans] CT for purposes other than TLS server certificates
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 17:33:25 -0000
While the mechanisms behind Certificate Transparency are technically capable of being used for X.509 certificates other than TLS server certificates, the current ecosystem is focused exclusively on TLS server certificates. This intent is captured in the abstracts of both RFC 6962 and -bis as well as policies defined by existing CT-enforcing user agents [1] [2]. Should a compelling need for non-TLS certificate transparency arise, current CT-enforcing user agents are very likely to insist that the set of CT Logs used for this new purpose are separate from the existing TLS CT Log ecosystem. There are several benefits of this: 1. Many other certificate types contain PII or other information that various laws require a service to be able to take down upon request, which conflicts with the append-only nature of CT. 2. Segmenting CT Log ecosystems by purpose insulates these CT Logs from possible mis-management of CAs in PKI ecosystems that are less scrutinized and maintained than the web PKI. While some progress is being made in reigning in S/MIME and code signing certificate issuance practices, there is a long way to go. 3. This segmentation also allows purpose-specific Monitoring/Auditing of CT Logs (e.g. a Monitor like CertSpotter or FaceBook not having to sift through the world's S/MIME or code signing certificates to notify you of a mis-issued TLS certificate). CT Monitoring is already a non-trivial task for the size of CT Logs that are intended to log only TLS certificates. -Devon [1] https://goo.gl/chrome/ct-policy [2] https://support.apple.com/en-us/HT205280 On Wed, Sep 18, 2019 at 9:35 AM Sherif Hanna <sherif@truepic.com> wrote: > Hello, > > > Is the CT approach intended to be used beyond monitoring/auditing X.509 > certificates for servers? For example, for X.509 certificates used for > code > signing? > > > Regards, > Sherif > > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans >
- [Trans] CT for purposes other than TLS server cer… Sherif Hanna
- Re: [Trans] CT for purposes other than TLS server… Devon O'Brien
- Re: [Trans] CT for purposes other than TLS server… Taavi Eomäe
- Re: [Trans] CT for purposes other than TLS server… Devon O'Brien