Re: [Trans] Fwd: Certificate Transparency with Russian GOST algorithms

Ben Laurie <benl@google.com> Mon, 31 March 2014 10:51 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9B531A0686 for <trans@ietfa.amsl.com>; Mon, 31 Mar 2014 03:51:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.389
X-Spam-Level:
X-Spam-Status: No, score=-1.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9IOuK5d99OEF for <trans@ietfa.amsl.com>; Mon, 31 Mar 2014 03:51:47 -0700 (PDT)
Received: from mail-ve0-x22b.google.com (mail-ve0-x22b.google.com [IPv6:2607:f8b0:400c:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id C299A1A0681 for <trans@ietf.org>; Mon, 31 Mar 2014 03:51:46 -0700 (PDT)
Received: by mail-ve0-f171.google.com with SMTP id jy13so5049343veb.30 for <trans@ietf.org>; Mon, 31 Mar 2014 03:51:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KYJPPwQ4yvLrA6VanSfUN4izDYVOvEhHg0QjNpTJgGg=; b=o+JKDclafe0TY5QB5x/b4sQIhmNIgcsJFpL3nRB2+oNlzujeszfHaGIwUaPxOigpqQ 58AP/VTeApxEgbXN6HOCwleSqZAeTc0lOozeIpkx8wXYnqIQmiwa/RTKnGgV8ALVi28Q njqQOJ/SfsHq7Zqjv33pANiRxQ5CvVSpt5P2yBj6RTiGtaSNr/mdnb9xBwiRtK/YFp9R xCg3TxKxKgXRExb8pA/PZiSRzQJ8tfo/EBWQou/3phl9a/g/q/myNELH5Dofx0hLecPK nAHgfqNd5jOSnHthNWIAInmFyECZ3ahJ/ApeyWB9icOywzddOEXvZUYlA9QavC4puU+F Pmaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=KYJPPwQ4yvLrA6VanSfUN4izDYVOvEhHg0QjNpTJgGg=; b=Ld2RIPuPEMlEJUqMJZHMudtyTHwNLJJr9zzJ8eD1uuGcUliqCLPt5p1+zhOuwR0S+v pSZ8tjDFYV869C8Dyjzf3RpIfCJ4O4A1KGlZ0YJHUiq1G0Fqz42EkmhCqeywIbP8tgs5 zPo63sioTqpNSXKcK9XtOXRA2UWvzYvjjCu3vFoyIQAVKjWihBiqtSW7mhxsvlT8fbcv EOz+f1vL4zg2s5+uOff8NheBHWOsosMVO6WfktN+bhX20X+M07Y1Ss0HpkiA5uGv6Snr Wu3/xJNRCURBP0IowTFds4OD1qU1vkLU2h3PcBb7ZN0tVtctQkTmtPNzBs9qNmjFqm2T q9rQ==
X-Gm-Message-State: ALoCoQloQQ534kvK6v3GIVcc4yXYRyCFyKm4o8V/sBNFeUor76gwk+Oj77sU9TAiTOznAso3AbnYo+FcYHRl3f6U+Q+Bw2M940Wqkn4Kt2j0xKfIyO1ABq5z5kyB8bNLx82q4hOb73pAxTM8sLmpSCQZq8vRl3E/+uUo2dSKvaglhPkQqrZ5a16/MwQvE6GNAWsVq2NW7Y/k
MIME-Version: 1.0
X-Received: by 10.58.154.10 with SMTP id vk10mr2686228veb.18.1396263103309; Mon, 31 Mar 2014 03:51:43 -0700 (PDT)
Received: by 10.52.119.179 with HTTP; Mon, 31 Mar 2014 03:51:43 -0700 (PDT)
In-Reply-To: <CADqLbz+F0tAHSKj32faD+WYzm4WMwbWyMG4eHH=2_pu_g5C8+w@mail.gmail.com>
References: <CADqLbz+F0tAHSKj32faD+WYzm4WMwbWyMG4eHH=2_pu_g5C8+w@mail.gmail.com>
Date: Mon, 31 Mar 2014 11:51:43 +0100
Message-ID: <CABrd9ST2jZ+7bRETAztX8yZnTfOomUHt1gexHXY51_Q+VSrcRA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Dmitry Belyavsky <beldmit@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/_fb1ocWnOAlOcv-i7x7YFTsR11k
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Fwd: Certificate Transparency with Russian GOST algorithms
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Mar 2014 10:51:48 -0000

On 31 March 2014 09:21, Dmitry Belyavsky <beldmit@gmail.com> wrote:
> Dear Ben,
>
> Sorry for my late response.
>
> 18.03.2014 18:20, Ben Laurie wrote:
>> As I mentioned elsewhere, in our view you change algorithm by starting
>> a new log.
>
> Ok. What about a way to find out the algorithm in use?

That is metadata that clients must discover outside the protocol
(along with things like MMD, log URL, etc).

>> It seems to me there shouldn't be any difficulty accommodating GOST
>> like this - I guess we'd have to add the rule that non-GOST
>> certificates MUST NOT use GOST logs. Not sure whether we should
>> require the opposite, though (i.e. GOST certificates MUST NOT use
>> EC/SHA logs)?
>
> What is expected to be a right behaviour in case when a certificate has SCT
> from some different log servers, if some of the SCT signatures can't be
> verified? If they are to be just ignored, I'm not sure we need such a
> limitation.

Fair point.