Re: [Trans] Fwd: Certificate Transparency with Russian GOST algorithms
Ben Laurie <benl@google.com> Tue, 18 March 2014 14:20 UTC
Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9913C1A044F for <trans@ietfa.amsl.com>; Tue, 18 Mar 2014 07:20:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.926
X-Spam-Level:
X-Spam-Status: No, score=-1.926 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HQPDPrjllkJy for <trans@ietfa.amsl.com>; Tue, 18 Mar 2014 07:20:57 -0700 (PDT)
Received: from mail-ve0-x22c.google.com (mail-ve0-x22c.google.com [IPv6:2607:f8b0:400c:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id B40741A02F9 for <trans@ietf.org>; Tue, 18 Mar 2014 07:20:57 -0700 (PDT)
Received: by mail-ve0-f172.google.com with SMTP id jx11so7035022veb.17 for <trans@ietf.org>; Tue, 18 Mar 2014 07:20:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=EgYbT4NZBdsIt/UuwIj2ZoIK9e5eI5MSzjDhMFZBRUo=; b=XGX7JMOaz4KMsild/t/TusdPJBDlDqcfqBzSuVZpkgpwyEEou4DhO+RcJp0t01Wttj svGrN6z6neD3k+EXA4PHfmxaeSzXWYJcYr6woinTTz75LU8YhQe92uT3Ldd9dIxi/rlA o3V+84z+5ijuj/cOAbkFpaF1KtpStFllbGKu1tB1DbOdNbsPRaLmKx5ua2hWF4sKgH+E UEX79v1u4Cg6M5ho8H4laljo+u+ePmr3UUiczUEirrjp3bN/q1iE6fsXFnQTQkpUSz/K XAZCsfxhOgaAjsQcpu1q6W9n/swv1IvJH5azSws0/WCqkNHdRIAzxhJgDUfOX6cSYxiP wXkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=EgYbT4NZBdsIt/UuwIj2ZoIK9e5eI5MSzjDhMFZBRUo=; b=effKs7iGLpIAgYPP/Y9/HDI0eieDdMuXmHIRC4niAiDP7yQsKEPaz5WRv+kSb64kd3 p1uSa7ssTgzAJ5ZxeUQFlJSn9M2EBk6mu2vMerE0aGszoymOCZ2H2Ma/NikWNbJtEY0f 2Ys/QNZgmyjwQSM9H9XY29BEUaaGp/h3AymxkVK2tT5P3Ok4mWVCOjgGqT3YsX3V9RPv /ctS98XZNZ2WcxdFdEw0chBH0wImSWggaYgruW+MvcwhwPKmlW5I9cqh7qcA1UZs0rMp DfxvM6JSJBY5OHmplVUoExeeKD6Of4TdZ/qEoR8XGq/W5Z2R7o8LrUzf4pW0POOO8HBk u0Yg==
X-Gm-Message-State: ALoCoQmOVEbp99VisFRiQb2rpXcrFDKVjbM5DM1yybqzBZpJD2szj9XYNSTQyhHV/ZK4LqNErzpML35K5mEpISaY2e72eUBQrzb/crsoeng3jhDpSG7YseG7eY0CLQSed/A2IXQhM3xRifDzC6WQJxd6e1EUOcykizDdR2M9YiQvnoRNq96vjH1aBW6JHS/FTc86w0BupIAY
MIME-Version: 1.0
X-Received: by 10.220.67.18 with SMTP id p18mr25311972vci.14.1395152449233; Tue, 18 Mar 2014 07:20:49 -0700 (PDT)
Received: by 10.52.230.105 with HTTP; Tue, 18 Mar 2014 07:20:49 -0700 (PDT)
In-Reply-To: <531F57B2.6030505@gmail.com>
References: <531F530B.4040703@tcinet.ru> <531F57B2.6030505@gmail.com>
Date: Tue, 18 Mar 2014 14:20:49 +0000
Message-ID: <CABrd9SSOwGC8LKF5viuwoFsjcTMQjra-TJdyWU6g2mVNk_5WOA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Melinda Shore <melinda.shore@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/e50_kIfD2PxOx151C-Y77KjgJH8
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Fwd: Certificate Transparency with Russian GOST algorithms
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 14:20:59 -0000
On 11 March 2014 18:36, Melinda Shore <melinda.shore@gmail.com> wrote: > For some reason Dmitry's mail is not arriving at the > IETF server, so I thought I would forward it myself. > > Melinda > > > -------- Original Message -------- > Subject: Certificate Transparency with Russian GOST algorithms > Date: Tue, 11 Mar 2014 22:16:47 +0400 > From: Dmitry Belyavsky <beldmit@tcinet.ru> > To: trans@ietf.org > CC: melinda.shore@gmail.com > > Hi all! > > Here are some thoughts about using CT in Russia with Russian > cryptographic algorithms (GOST). They were discussed with Ben Laurie > during the IETF meeting in London. I am not sure which mailing list is > the right place to post to, so I post it to the WG mailing list. > > Laws and practice in Russia requires using of the GOST hash and digital > signature in X.509 certificates for government services. These > certificates are signed by Russians CAs which are not in lists of > trusted CAs in major browsers. It is not a problem to create an > installation of log server in Russia containing the list of Russian CAs. > But Russia-based service should use the GOST hash algorithm in the > Merkle tree and GOST signature algorithm for signing SCT. It seems to be > not a problem because if GOST-based certificates are submitted to > GOST-based log, browsers not understanding the GOST algorithms will not > have to verify GOST-based SCTs. But also it means that the hashing > algorithm of Merkle tree should become the config-time parameter of the > log instance instead of being hardcoded. Also it should be possible to > find out which algorithm is used in this or that log instance and it > should be strictly prohibited to change this algorithm after start of > the log instance. It seems to be a good idea anyway because of the > requirements of cryptographic algorithms agility. As I mentioned elsewhere, in our view you change algorithm by starting a new log. The hash/signing algorithms are fixed properties of the log. It seems to me there shouldn't be any difficulty accommodating GOST like this - I guess we'd have to add the rule that non-GOST certificates MUST NOT use GOST logs. Not sure whether we should require the opposite, though (i.e. GOST certificates MUST NOT use EC/SHA logs)?
- [Trans] Fwd: Certificate Transparency with Russia… Melinda Shore
- Re: [Trans] Fwd: Certificate Transparency with Ru… Ben Laurie
- Re: [Trans] Fwd: Certificate Transparency with Ru… Rob Stradling
- Re: [Trans] Fwd: Certificate Transparency with Ru… Phillip Hallam-Baker
- Re: [Trans] Fwd: Certificate Transparency with Ru… Dmitry Belyavsky
- Re: [Trans] Fwd: Certificate Transparency with Ru… Ben Laurie
- Re: [Trans] Fwd: Certificate Transparency with Ru… Dmitry Belyavsky
- Re: [Trans] Fwd: Certificate Transparency with Ru… Ben Laurie