Re: [Trans] Precertificates and revocation
Ryan Sleevi <ryan-ietf@sleevi.com> Fri, 20 September 2019 16:16 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08E4112026E for <trans@ietfa.amsl.com>; Fri, 20 Sep 2019 09:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.922
X-Spam-Level:
X-Spam-Status: No, score=-1.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.026, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EGv9Sb6v-Ehz for <trans@ietfa.amsl.com>; Fri, 20 Sep 2019 09:16:22 -0700 (PDT)
Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B1E5120113 for <trans@ietf.org>; Fri, 20 Sep 2019 09:16:22 -0700 (PDT)
Received: by mail-ed1-f50.google.com with SMTP id r16so6969838edq.11 for <trans@ietf.org>; Fri, 20 Sep 2019 09:16:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8QF9jyehFQZ3A7bGSKqJnE1BniF5VVp54Uv4UPCJTDg=; b=RTkLL61oL9X68tZu2k/il/PvCZzSd7eASGYUjT5YkjaYK06TXCZpmbtaICtxD6sXXC L1P2kk6SOztLtuRbx3APenB4A1KvUxewY4MuIGyoN2qmhZa9wKMpyINIBluNPT3i47kk 1I/cNvwEIDDaDar5UCJ2cV1tI/Cb5bzHQc31mjSjEQBEG540onAwemp1V01WGk9+3vyK ciyCqA3rSHKZHZMhvv0vsivpr6j07PtTc7mmQWDeUwKSoBLoXCWZND3YE2n69Mw96E6n sljrySWILQsFMRNXiJEsI/YP+1ldoXtxOWGQNRToCZ2ZRfKePc2MuF/V2DDmvfRGx9m0 9uUg==
X-Gm-Message-State: APjAAAU/6AyB/pd8q6EaGODTVtTWVsfgLvmdxTAKHwl/JsXpyLTZr9OY PAm8Pl5r/sveEzDHp0ulY2hPq1Xg
X-Google-Smtp-Source: APXvYqySrjBqNJ9NvRrjDcp8cuEtOkYeGHYXiEGcS9t195YqHoWK50K94Mdz83JVE56KZ06gfvChiQ==
X-Received: by 2002:a50:f603:: with SMTP id c3mr18500768edn.208.1568996179931; Fri, 20 Sep 2019 09:16:19 -0700 (PDT)
Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com. [209.85.221.45]) by smtp.gmail.com with ESMTPSA id c24sm273488ejp.43.2019.09.20.09.16.19 for <trans@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 20 Sep 2019 09:16:19 -0700 (PDT)
Received: by mail-wr1-f45.google.com with SMTP id h7so7319301wrw.8 for <trans@ietf.org>; Fri, 20 Sep 2019 09:16:19 -0700 (PDT)
X-Received: by 2002:a5d:6844:: with SMTP id o4mr13283984wrw.188.1568996179383; Fri, 20 Sep 2019 09:16:19 -0700 (PDT)
MIME-Version: 1.0
References: <20190916100800.5b62d43c0f28e30269f41b7a@andrewayer.name> <21a9ea1e-124b-3bf2-72f5-4dc755d4061b@sectigo.com>
In-Reply-To: <21a9ea1e-124b-3bf2-72f5-4dc755d4061b@sectigo.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Fri, 20 Sep 2019 12:16:07 -0400
X-Gmail-Original-Message-ID: <CAErg=HHcG8p_6NAzKyDYg+gPpF6p7F688pSD+qD+shcFdr9vRA@mail.gmail.com>
Message-ID: <CAErg=HHcG8p_6NAzKyDYg+gPpF6p7F688pSD+qD+shcFdr9vRA@mail.gmail.com>
To: Rob Stradling <rob@sectigo.com>
Cc: "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ed1f6d0592fe630e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/eEJ_xPLSZMTmVnU3OtvXvEwkqH0>
Subject: Re: [Trans] Precertificates and revocation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2019 16:16:24 -0000
As I mentioned elsewhere, I'm not sure this is an entirely useful or productive concern to be raising at this time. I have also shared that I think this is a question of policy than protocol, even though the policy decision has implications on other protocols. Thus I think it's much more appropriately discussed among individual implementations. As a protocol for allowing both the pre-disclosure of a certificate and post-disclosure of a certificate. We saw, rather extensively in the Threat Model document, different perspectives on policies regarding how pre-disclosure should be treated and handled. For example, using the protocol in 6962 or -bis, it's possible to use CT as a means of detecting and correcting certificates prior to issuance (the discussion about Logs applying rules to certificates). Similarly, it's possible for CT as a protocol to be used entirely internal to an organization, as part of audit logging for external audits via a common protocol, even with the inclusion of data that might otherwise be inappropriate for publicly-exposed logs. So I do think that, from the point of view of the RFCs, it's a matter of policy as to how the existence of a pre-certificate is treated, which aligns with the particular intended deployment of the CT protocol. If a policy (e.g. by a browser, for the Web PKI) treats the issuance of a pre-certificate as an unrebuttable proof of an equivalent certificate, which is certainly one of the core things CT enables policy to state, then it naturally follows that it must be treated as such within protocols that are keyed on the issuance of certificates. It's an operational concern, defined by local policy, as to what impact, if any, it has on other protocols. Just as RFC 5280 does not define, for example, what forms of names to include within a distinguished name, I'm not convinced that this would even belong in 6962-bis, because it covers the operational aspects and implications of a PKI that may use, in part or whole, these RFCs.
- [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Ryan Sleevi
- Re: [Trans] Precertificates and revocation Erwann Abalea
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Eran Messeri
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Eran Messeri
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Paul Wouters