IETF Logo Mail Archive

Re: [Trans] Draft agenda

Rob Stradling <rob.stradling@comodo.com> Wed, 26 February 2014 13:28 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C55F51A02F5 for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 05:28:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.809
X-Spam-Level: *
X-Spam-Status: No, score=1.809 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_MISMATCH_NET=0.611, J_CHICKENPOX_12=0.6, J_CHICKENPOX_22=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02Zdsqc2l_VS for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 05:28:42 -0800 (PST)
Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) by ietfa.amsl.com (Postfix) with ESMTP id 992211A00A6 for <trans@ietf.org>; Wed, 26 Feb 2014 05:28:40 -0800 (PST)
Received: (qmail 24461 invoked by uid 1000); 26 Feb 2014 13:28:37 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Wed, 26 Feb 2014 13:28:37 +0000
Message-ID: <530DEC04.30401@comodo.com>
Date: Wed, 26 Feb 2014 13:28:36 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Carl Wallace <carl@redhoundsoftware.com>, Ben Laurie <benl@google.com>
References: <53063600.4020102@gmail.com> <CALzYgEe0XrQdKDZN3_dwFLnM87+TXyYRMzj4ZGe5xKi-T_5V+g@mail.gmail.com> <530B86F6.5040201@gmail.com> <CABrd9SSpyw4nJ9t7X0WDeN+1MnhD+__-QXLOQXYs=h2JCUrwDg@mail.gmail.com> <CAMm+Lwj4XniVS_n+M3TmT_LM+P6H6HGgcnhMezUjnupKXzwwdg@mail.gmail.com> <CABrd9STabJA4Fp75HfC7ORR1LQZT+q0DDuB61O0JGBOt31cpmQ@mail.gmail.com> <CAMm+LwgT8MEG+Svr3zmMYYPrQNEXwtNPL0m7CjYFHKUAKKbfFQ@mail.gmail.com> <CABrd9STQQ69cPo3F5c22__aGbPAKV3AXnTFB47yd3s7+SQOpww@mail.gmail.com> <530DD6BC.8080207@comodo.com> <CABrd9SSX9XFqQK+UBdvai-ACLkPT6mudXsjYmh-cGOp-P62vog@mail.gmail.com> <530DDF7D.4040206@comodo.com> <CF334A3B.11C9F%carl@redhoundsoftware.com>
In-Reply-To: <CF334A3B.11C9F%carl@redhoundsoftware.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/abSBBTtF6SRikK6rAye33fmEVL0
Cc: "trans@ietf.org" <trans@ietf.org>, Melinda Shore <melinda.shore@gmail.com>, Phillip Hallam-Baker <hallam@gmail.com>, Eran Messeri <eranm@google.com>
Subject: Re: [Trans] Draft agenda
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 13:28:46 -0000

On 26/02/14 12:45, Carl Wallace wrote:
>
> On 2/26/14, 7:35 AM, "Rob Stradling" <rob.stradling@comodo.com> wrote:
>
>> On 26/02/14 12:27, Ben Laurie wrote:
>>> On 26 February 2014 11:57, Rob Stradling <rob.stradling@comodo.com>
>>> wrote:
>> <snip>
>>>> But if we must have ritual compliance with 5280, then my preferred
>>>> solution
>>>> is to "poison" the Issuer Name in the Precertificate.
>>>>
>>>> For example...
>>>> Certificate Issuer Name: C=GB, O=My CA Ltd., CN=My CA
>>>> Precertificate Issuer Name: 1.2.3.4=CT, C=GB, O=My CA Ltd., CN=My CA
>>>>
>>>> Sign both the Precertificate and the Certificate with the same CA
>>>> private
>>>> key.  Use the same serial number for both.
>>>>
>>>> It wouldn't matter whether or not there exists a CA Certificate with
>>>> the
>>>> Subject Name "1.2.3.4=CT, C=GB, O=My CA Ltd., CN=My CA".
>>>
>>> Ah. I like that idea. Rather less than I like the idea of fixing the
>>> need for ritual compliance, though.
>>
>> +1
>
> While I agree that lack of a CA certificate with the matching naming
> really doesn¹t matter, breaking name chaining seems like an odd way to
> maintain ³ritual compliance".  Why not bump the version number instead?
> v4 could be defined as a pre-certificate containing a poison extension and
> a serial number that matches its v3 counterpart.

Hi Carl.  I briefly discussed the idea of changing the version number 
with Ben a few months ago...

Rob: "More wacky idea...
I wonder if we could get away with putting 0x4354 in the certificate's 
Version field.  That might be enough to place it out-of-scope of 
RFC5280, and therefore out-of-scope of the duplicate serial number rule. 
  Probably more likely to break something though."

Ben: "I imagine it'd be hard to coerce most s/w to do this."

Also, I don't suppose IETF has the authority to define new X.509 
versions anyway.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

v2.23.0 | Report a Bug | By Email