Re: [Trans] Certificate and Precertificate extensions ordering

Eran Messeri <eranm@google.com> Thu, 11 September 2014 10:56 UTC

Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 897341A06C7 for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 03:56:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.03
X-Spam-Level:
X-Spam-Status: No, score=-3.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3p9FmqB9QxwT for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 03:56:34 -0700 (PDT)
Received: from mail-vc0-x22f.google.com (mail-vc0-x22f.google.com [IPv6:2607:f8b0:400c:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0ED1D1A891F for <trans@ietf.org>; Thu, 11 Sep 2014 03:56:33 -0700 (PDT)
Received: by mail-vc0-f175.google.com with SMTP id hq11so1788385vcb.6 for <trans@ietf.org>; Thu, 11 Sep 2014 03:56:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KFz28AzpiOzllSQno9Tq78TCzYbiwxHt8wgkxO3GVTg=; b=Tm7mlPaoxcQKJ8yGvrvw6h9ISXaLtAZYdRTt5yY5/qOwk1F4YsxjJlF26Wsx9u/XZb NuaV9wkv6vrXn3zyb4PqOWFPZqI92l/ZV6L3BIl8E19f1/Sw4BDSFKCtHGZuh4+9LRXy YWm9w7Pp785xg2yeAxmVg/5itovPvOAyzW3O/Ayopsh/EynhYjODvlZ+BWY4I3K+iPK1 7Fj2HEQzT1y6ofruECIU997oR1VnYfpaN/9upt+sxBkg8ZldhpL0REmYP6n61Vud0s9U ByZ52NjDK+s8i2xibLxcQyhb+G0RRcRJvWbdnrDzUDDVJEqc7fthNvGHaeECOqOqHkkf G+EQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=KFz28AzpiOzllSQno9Tq78TCzYbiwxHt8wgkxO3GVTg=; b=A14MUnCvOgjg6mPWDBDvXprL6Y4aKFlkyXxiIOymR+UWBJOxR728nPkbexp/fqNJwY Od0/mDPKX68ANobcO+Qv46RiOeYx23azMnKxZnh4+FKfChRVh2JSuIrK1ckp8E2ddnBs 9kFtvHlDYvZwOSp7Mow8XQ4YPdbgagZ0dsYikLRu9aor/UdB6HdVt2P/Wnd7hb1AXk8G auHG0+4yx/kSZlAJ5Cb7BDzIS7/ioMcDJ/4Nb/aJMWfgJiGLCNGH0M9xdLhG2gLjNm/U sNYYdFmJHDcKz7tIPL/JPwR+FdsZWP7ccqHL6Q/JPikfsomv90DEpu3J9tQOv0wXiAmP BozA==
X-Gm-Message-State: ALoCoQkLhG3y32iPwTXjqiFSXrsVLPK9v/O6oxNQLxn5oc7OAXxHm0waT6jPWMQTZcL1KMWYGjf6
MIME-Version: 1.0
X-Received: by 10.221.49.133 with SMTP id va5mr32921vcb.37.1410432993080; Thu, 11 Sep 2014 03:56:33 -0700 (PDT)
Received: by 10.52.2.138 with HTTP; Thu, 11 Sep 2014 03:56:33 -0700 (PDT)
In-Reply-To: <CA+i=0E5o_JEUquZpxhwiVKU3dvDTOHSf0fbeD7Nj7vrDwAkeSw@mail.gmail.com>
References: <CA+i=0E5o_JEUquZpxhwiVKU3dvDTOHSf0fbeD7Nj7vrDwAkeSw@mail.gmail.com>
Date: Thu, 11 Sep 2014 11:56:33 +0100
Message-ID: <CALzYgEcEpegaBt6-w+Y7Hs6EODdHUe=CFA6W=H8Afd9gxZjaSg@mail.gmail.com>
From: Eran Messeri <eranm@google.com>
To: Erwann Abalea <eabalea@gmail.com>
Content-Type: multipart/alternative; boundary=001a113397e4885a160502c805bd
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/fwXQRnuWcd9GzxS6m7sWs2NoIaM
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Certificate and Precertificate extensions ordering
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 10:56:35 -0000

The poison extension is removed from the Precertificate prior to the log
producing an SCT over it, so a client never has to know about it. What the
TLS client has to do is to remove the "embedded SCTs" extension  from the
certificate prior to validating the signature.

On Thu, Sep 11, 2014 at 11:40 AM, Erwann Abalea <eabalea@gmail.com> wrote:

> Bonjour,
>
> It seems there's no constraint on the order of extensions in the final
> certificate regarding to the Precert.
> Won't it be problematic if the browser wants to validate the SCT
> signatures by constructing the Precert from the final certificate? Where
> should a CA add the poisonous extension? And the future "redactedlabels"
> extension (it has no name)?
>
> --
> Erwann.
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>
>