Re: [Trans] Relaxing section 5.1

Ben Laurie <benl@google.com> Fri, 04 November 2016 13:41 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49925129526 for <trans@ietfa.amsl.com>; Fri, 4 Nov 2016 06:41:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Level:
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1A1vfHb-cQtU for <trans@ietfa.amsl.com>; Fri, 4 Nov 2016 06:41:08 -0700 (PDT)
Received: from mail-ua0-x235.google.com (mail-ua0-x235.google.com [IPv6:2607:f8b0:400c:c08::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AB0A129503 for <trans@ietf.org>; Fri, 4 Nov 2016 06:40:55 -0700 (PDT)
Received: by mail-ua0-x235.google.com with SMTP id b35so66188644uaa.3 for <trans@ietf.org>; Fri, 04 Nov 2016 06:40:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kiT97HdHcCSgpQ0Kh6SWNa2S4wcjtqLZ8Rjr6mH6GNg=; b=dUVGpjAuS95cB65a7HzmAFe8effM//FMSd6LaoJ9DKxr+iuyvrrI0fjWfcLlehTjoX E1RjcfOwyp4ZAbdGcZidAnI0ok7q2dg4qZOhQ5i97hI9UlGVdEVEbb4x6uBsEhf/sjkr 5XTBBGPEtwCFTcKZ3Cc3JijrRJhwv2MKKqIOqJLYeQFQS7K0nkQor36NiKuegmPwedHw Cdzptc8McK6ndCz416Z1LIP2NZbL4+6vW5RJt3wFCEct8KRffBiUNRt6vMX3msrUkZxe ffLvQrj1puZulDYFMKBJTwWx7MGLtMkumookvTlfZ//qWb2nsOIni2L+oInF3/+rsGx8 GDaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kiT97HdHcCSgpQ0Kh6SWNa2S4wcjtqLZ8Rjr6mH6GNg=; b=CzqmI3W9hDWc7WRFLHXwzZBhpUCYF7IT+yX3O6YY9rIcBLigWCyRiIapDUWQV2z7YM UAWnuYX2bHZXwxDRoZQ+5PS1BFiLwOgTj4jPS0Bd3RKjtyrIJHbFWb+vhwLjQ7tZtlBX fNRFLkJ748n7vDmr5aj+oMjODda5WOC2wBb+aAcPkM7+vSs3PDaVj3mKMaFQKTYYgkL1 XmAALROg9bGoQcS/IQWgV66qhuI9MBVcV0KCs/DUjdYH/rI1yGwhQmp9dnrKOozJgiAV yhTUy4v83Wx0sEIdw2qWND/oyorMThd+uPplBFxHunBwLgSpeAPMquNITS7X6Fbdkofn 7RRA==
X-Gm-Message-State: ABUngvc8BFVSyNm0llF7/CfKAnyFWR4PH/+OWOg2gYrFgOULLzKVexo85xtrS3aGLtBWCpj7IkTNt+PNVVcyLMN8
X-Received: by 10.176.64.3 with SMTP id h3mr10850316uad.176.1478266389879; Fri, 04 Nov 2016 06:33:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.149.203 with HTTP; Fri, 4 Nov 2016 06:33:09 -0700 (PDT)
In-Reply-To: <CAK6vND9b4oEOnZR=PtWw-znbsu785Gps87jumAXgFjkro-tptg@mail.gmail.com>
References: <CAK6vND8_4OQ0du0MC8Z5=NJR5ho1EpT-8H41O+Te9tvM3YeNcg@mail.gmail.com> <CALzYgEcuf+WoUVy=vsPYJ7t49ASe_5Tc7ySOuKoYJMzpODHtSA@mail.gmail.com> <1c7240d7-f38d-2011-ad45-587843e0f1f8@gmail.com> <CAK6vND_XeyQsO=4pP12e3HL+r8Cdw_M7Gm1SB5zoQKGHbKUP7w@mail.gmail.com> <CABrd9SQ506fFGvrEj=Sknb-Lm3HESGwOvcuG84xovttxwirYSw@mail.gmail.com> <CAK6vND9b4oEOnZR=PtWw-znbsu785Gps87jumAXgFjkro-tptg@mail.gmail.com>
From: Ben Laurie <benl@google.com>
Date: Fri, 04 Nov 2016 13:33:09 +0000
Message-ID: <CABrd9SQnFApjrn2zOekHcfgvV6NyFFTr9ObwUdncsUggc7cFNg@mail.gmail.com>
To: Peter Bowen <pzbowen@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/hVGEhtzM_8v1M5VQQGeaujFmZ-w>
Cc: Melinda Shore <melinda.shore@gmail.com>, "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Relaxing section 5.1
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2016 13:41:10 -0000

On 3 November 2016 at 14:01, Peter Bowen <pzbowen@gmail.com> wrote:
> On Thu, Nov 3, 2016 at 3:31 AM, Ben Laurie <benl@google.com> wrote:
>> On 2 November 2016 at 14:08, Peter Bowen <pzbowen@gmail.com> wrote:
>>>
>>> By requiring all logs MUST accept any certificate that chains to a
>>> root in the log's root list, 6962bis fails to allow log operators to
>>> mitigate any Denial of Service attacks mounted by attempting to log
>>> massive numbers of certificates that are not relevant to the log
>>> scope.  For example, many existing certification authorities issue
>>> both server authentication certificates and certificates for personal
>>> identification.  For some roots, acquiring large numbers of these is
>>> relatively easy (see discussion of fetching millions of Taiwanese
>>> Citizen Digital Certificates in
>>> https://smartfacts.cr.yp.to/smartfacts-20130916.pdf)  As written
>>> today, a log MUST accept these.  There is no option for a log to
>>> require that all certificates must meet some usability criteria.
>>
>> The requirement is to reject certs that don't meet the criteria, not
>> to accept those that do.
>
> So the root list is just "advisory" -- I could include roots where my
> local policy results in rejecting all certs chained to that root?  Or
> I could follow Brian's template and reject all and later add to the
> log via some other API (or have some rule like "client IP address must
> be 127.0.0.1" in order to get a cert logged)?  These would all be
> 6962bis compliant?

I was just reading what the language you quoted says. I don't actually
have the whole of 6962bis in my head right now.

The bit you didn't quote does say they the log has to accept valid
certs, tho: "Logs MUST accept certificates and precertificates that
are fully valid according to RFC 5280 [RFC5280] verification rules and
are submitted with such a chain."