Re: [Trans] Precertificate format

Ben Laurie <benl@google.com> Thu, 11 September 2014 15:15 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A898D1A0382 for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 08:15:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.031
X-Spam-Level:
X-Spam-Status: No, score=-3.031 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oLFofOPmNCqx for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 08:15:40 -0700 (PDT)
Received: from mail-qa0-x230.google.com (mail-qa0-x230.google.com [IPv6:2607:f8b0:400d:c00::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0AEB1A02BE for <trans@ietf.org>; Thu, 11 Sep 2014 08:15:39 -0700 (PDT)
Received: by mail-qa0-f48.google.com with SMTP id v10so3491059qac.21 for <trans@ietf.org>; Thu, 11 Sep 2014 08:15:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LIbuyKcDlHfrSUG13vc2OZpkGvZ8AZ+WlAd7xzzRWbA=; b=Hb9WEvkg4+og+1xLm1jLi/6rT0MPkTYwHEWLusSjqeBn+5eBCAKaiTL377wDBrNETg c8OHmO5ifNVQTh9tvkxyWkEGXYT0tOXYjWa23pjdqemJx4g8U3B1zscZghpdYqzCDSeO pPLog8e17JkcOO48ySEHfyiG5EPUy5iG0F3IDS5dC+YE7Rl+oMLQtttLQ+SFOQ8gVdLk zqwsGOmAJ8ebOv71CKiWO6CYQKPx8BxmGhFpVBVDbwQNvbyV3hgMqZ1kC0qAB8plxCpv C3vJuvyoENtL1UMcv4feiuJaqcBYnVjP0ufGTggrg8mKQw0cNgPN6g1nYSgBP8S0LENm gn5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=LIbuyKcDlHfrSUG13vc2OZpkGvZ8AZ+WlAd7xzzRWbA=; b=e7lcQI+z9bMDthOF6EJ9TR0UWdsiwguSPDWoXWnN2U/N5hRpImT6AZb2G2VOQ/pAyh WRC4xZLko31g4ttET/0QYTYPUT02TBGewAz+wbqO20ljguSIgFNbfx4DGo8BXUuFYmug ws4w1yJenwn/17VLtKc6m7ioc+UJBpNrKkmMxz7TzhZzR+6+f22j/Zt3oSOW9AqHv/nI NAwu7XZ4locVgX45OAOEX72YESVDA9vUQiO+GExscyWjL2NsLKuRDGPKWHTZRCtPmyYv oP0gEI1xPrIWVP6kwalijiqmgaOdARD8v4CFQWg0MY7OHW0LVU5TS+WeYPWghbcHGgt7 0ocA==
X-Gm-Message-State: ALoCoQkn8O1q/cP4v/yr9royUv/MGRllvVDP6nu0G6Lf+lq5Ja6j1XPGff/kssg9Bj3AB5DMsV5Y
MIME-Version: 1.0
X-Received: by 10.224.11.212 with SMTP id u20mr2541037qau.82.1410448535260; Thu, 11 Sep 2014 08:15:35 -0700 (PDT)
Received: by 10.229.247.198 with HTTP; Thu, 11 Sep 2014 08:15:35 -0700 (PDT)
In-Reply-To: <5410779A.20209@bbn.com>
References: <540DFA75.2040000@gmail.com> <540E0E90.1070208@bbn.com> <540E28FD.7050809@gmail.com> <540ECD3A.4040704@primekey.se> <540F4598.5010505@bbn.com> <CABrd9SSg5=wuierLoqAU00pMHxgGx+=ai5mHv4u5t6zm43yDWg@mail.gmail.com> <5410779A.20209@bbn.com>
Date: Thu, 11 Sep 2014 16:15:35 +0100
Message-ID: <CABrd9STnjqDBF4-5ABJ86M_d0bwRyjRNjRW6Hnj9UpeYC7Xz9A@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/hweJlQzgtbSDPmm1-uU01xwlqec
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Precertificate format
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 15:15:43 -0000

On 10 September 2014 17:08, Stephen Kent <kent@bbn.com> wrote:
> Ben,
>
>
>> On 9 September 2014 19:23, Stephen Kent<kent@bbn.com>  wrote:
>>>
>>> I agree that using a redefined (to include the serial number) cert
>>> template
>>> from CRMF would avoid the 5280 issue, but it still requires the CA to
>>> assign
>>> the serial number before
>>> the cert is issued. That is my biggest concern, i.e., it imposes a new
>>> requirement on
>>> CAs, one that may have adverse security implication for some.
>>> Nonetheless, I
>>> like your suggestion (minus the serial number) as a starting point. See
>>> my
>>> next message.
>>
>> I have a suggestion: let the RFC say that any certificate which the
>> log knows can be revoked without knowing its serial number can omit
>> the serial number.
>
> because, as you noted, we have no IETF-standard way to revoke a single
> cert w/o knowing its serial number

Quite.

> I don't think this is a good fix.

Until there is such a mechanism, omitting serial numbers makes it hard
(or impossible?) for anyone to take effective action on violations
discovered via CT. So, CT has to require serial numbers until then.
This language allows that to happen.

> Nonetheless, I do appreciate your willingness to explore alternative
> approaches
> to address the concern I raised.
>
>
> Steve
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans