[Trans] Masking of private subdomains
Rick Andrews <Rick_Andrews@symantec.com> Wed, 19 March 2014 21:13 UTC
Return-Path: <Rick_Andrews@symantec.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A6EB1A03C2 for <trans@ietfa.amsl.com>; Wed, 19 Mar 2014 14:13:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.848
X-Spam-Level:
X-Spam-Status: No, score=-6.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jGLLkAvgc1NK for <trans@ietfa.amsl.com>; Wed, 19 Mar 2014 14:13:56 -0700 (PDT)
Received: from tus1smtoutpex01.symantec.com (tus1smtoutpex01.symantec.com [216.10.195.241]) by ietfa.amsl.com (Postfix) with ESMTP id BBD791A0335 for <trans@ietf.org>; Wed, 19 Mar 2014 14:13:56 -0700 (PDT)
X-AuditID: d80ac3f1-b7f188e00000241a-38-532a088bf8b7
Received: from ecl1mtahubpin02.ges.symantec.com (ecl1mtahubpin02.ges.symantec.com [10.48.69.202]) by tus1smtoutpex01.symantec.com (Symantec Brightmail Gateway out) with SMTP id 96.25.09242.B880A235; Wed, 19 Mar 2014 21:13:48 +0000 (GMT)
Received: from [155.64.220.138] (helo=TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM) by ecl1mtahubpin02.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <Rick_Andrews@symantec.com>) id 1WQNo3-0000O6-FT for trans@ietf.org; Wed, 19 Mar 2014 17:13:47 -0400
Received: from TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM ([155.64.220.147]) by TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM ([155.64.220.138]) with mapi; Wed, 19 Mar 2014 14:13:47 -0700
From: Rick Andrews <Rick_Andrews@symantec.com>
To: "trans@ietf.org" <trans@ietf.org>
Date: Wed, 19 Mar 2014 14:13:46 -0700
Thread-Topic: Masking of private subdomains
Thread-Index: Ac9DtuOkUTnku0CtRQav2yBbbO6ExA==
Message-ID: <544B0DD62A64C1448B2DA253C011414607C7F65A0D@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLLMWRmVeSWpSXmKPExsXCZeB6SreHQyvY4E43l8XaxxdZHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVcebiNbaCMwIVU/ddZmpgnCLQxcjJISFgItHQNpEVwhaTuHBv PVsXIxeHkMA7RomTp8+zQjj/GSWOfNjGAuGsYpTo29IE1sImoCex5fEVdhBbREBV4vP9FiYQ mwXIvn/6JQuILSygJvHn2E5GiBptiXkvHrJC2HoSd159ZgOxeQWiJCb8mwlmMwKd8f3UGrA5 zALiEreezGeCOE9AYsme88wQtqjEy8f/WCHqRSXutK8Hms8BVK8psX6XPkSrosSU7ofsEOMF JU7OfMIygVFkFpKpsxA6ZiHpmIWkYwEjyypGmZLSYsPi3JL80pKC1AoDQ73iytxEYBQk6yXn 525iBEbCDa7DH3cwHt3reIhRgINRiYdXklErWIg1sQyo8hCjBAezkghv/HfNYCHelMTKqtSi /Pii0pzU4kOM0hwsSuK86x2Ug4UE0hNLUrNTUwtSi2CyTBycUg2Mz1hzvPbJchd9uLRmttJz Z6eeVZ+Pdnz5x9Xlxfbgioj0pJ89DOZqGWos03cI1f94Wzj7etGpg83NP5WTli3YVNPLHsyZ laGu/WrhnLNebk9TuztPSh74tyX8u/ODXhudtSt9VE+otKulKfpWM25Z2llsxT2z4ypb+bKv iienf3c4tMeltbpciaU4I9FQi7moOBEAirftCoACAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/a6fEFqRRR9IFiSNQ2D_UPxuRCiw
Subject: [Trans] Masking of private subdomains
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2014 21:13:58 -0000
Rob Stradling has proposed: "The PreCertificate could contain SAN:dNSName=<PRIVATE>.customer.com (I mean the literal string "<PRIVATE>"), and the real certificate could contain: •SAN:dNSName=top.secret.customer.com •an extension that records the mapping between "top.secret" and "<PRIVATE>". I suggest a SEQUENCE of INTEGERs, one for each Subject:commonName and SAN:dNSName (and in the same order that they appear in the cert), indicating how many leftmost domain components are masked." 1) I agree there should be an extension to alert clients to the fact that a subdomain has been masked, but I'm not sure I see the value in knowing how many leftmost domain components are masked. A monitor will notify the domain owner that a certificate appeared in the log for their domain, with serial number 1234. The domain owner will then search through their list of known certificates for one issued by that CA cert with that serial number. Knowing the number of masked subdomains is of little or no value. 2) Consider a case where a cert contains multiple SANs from the same domain, all of which are to be masked: SAN1=foo.example.com SAN2=bar.example.com SAN3=foo.bar.example.com All would be replaced with the same masked value. Should the precertificate hold duplicate information, like this: SAN1=<PRIVATE>.example.com SAN2=<PRIVATE>.example.com SAN3=<PRIVATE>.example.com Or should it contain only one <PRIVATE>.example.com? What's the value in knowing the number of SANs in the cert if they're all masked? -Rick
- [Trans] Masking of private subdomains Rick Andrews
- Re: [Trans] Masking of private subdomains Rob Stradling
- Re: [Trans] Masking of private subdomains Rick Andrews