Re: [Trans] Question about PRIVATE option (Ticket #1)
Eran Messeri <eranm@google.com> Wed, 12 March 2014 14:24 UTC
Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1241A071B for <trans@ietfa.amsl.com>; Wed, 12 Mar 2014 07:24:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.925
X-Spam-Level:
X-Spam-Status: No, score=-1.925 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EKkjuTP_gnh6 for <trans@ietfa.amsl.com>; Wed, 12 Mar 2014 07:23:56 -0700 (PDT)
Received: from mail-oa0-x22a.google.com (mail-oa0-x22a.google.com [IPv6:2607:f8b0:4003:c02::22a]) by ietfa.amsl.com (Postfix) with ESMTP id B352A1A06B2 for <trans@ietf.org>; Wed, 12 Mar 2014 07:23:56 -0700 (PDT)
Received: by mail-oa0-f42.google.com with SMTP id i4so10148931oah.1 for <trans@ietf.org>; Wed, 12 Mar 2014 07:23:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8piU+mtqGldcxTWNqPeZOYjNo3CRoqEzuD+2H7WV9Ig=; b=hOJd4KctW/7+ve3SkteLbak99z16Q3k3fT+tbKvLiMfzEvvFn5dvIyz0mTf1bZQ9PJ vMf50CMsL96oEjmgLfwOSdoASZTlcQD/RDoSo8vgY5DytjTzFRDS0u3Cdx7C5B5Es0in 7goOcNkLAUYoMl9JuvdCWJ6fIvgor97dKLquWVlHj21jPKnmtkPgSf+vYongeqFfRXk1 hEXosPV3KmkMlSV/8px3iy90sAeV97N4zV1ICjC0zcCqHnjNSlub2gO3MDoSWZ+MxDBp 4MjolvwdrZHV91DcgazwWb5XCUVsSM2VDVPScGIRut+iiQBofDAyMTpEtuBS98y1EbZy pS0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=8piU+mtqGldcxTWNqPeZOYjNo3CRoqEzuD+2H7WV9Ig=; b=TudiUPnxPxwxIbEAI6ZzhFalwZOYWAKBIRZ0AHvHWNdxarLpgXcafw6DrAXKDp7v2X jeUE5Cs+aYfU37PB3q8Gk16qpGPrpDd3HCyQA+Kbi84mIGVqZrJXSy81GZfwDRL15qQE 050yMBcknDT8J0DNKUK1iUebIJgtk5upOYOtdByQeZ0mHBIYxHE/UShlkx8A5n+9lus+ C+bEzqcvVAZra2I7j/LnH8kx41W8MVpWtEOc2f1k1R4Qh5nFWaeI+rqSSfS6arwEMBU1 3n56CWEFiz6jUZTMzHxoQ6D6SPzqVDoH+ND/hoj7GgKlHr0DZvp7DLtuPLmdmCOJwsMk 3ZTA==
X-Gm-Message-State: ALoCoQk0/JvwKzo0cAuy+WaGgAK4bDEVB+GJ4HmlM2n3vAzrHL6yxS2fsUands5aQDwisooQrUMY1pTYL85LBrJbgNk1sfXsOY/HwjUU47JugYMNIqhM+pOyW1CsFI+azYwgsPflXkABECIbiaHDNFAxvqKPf3Ff/j4CfTFC1OjqQpQeI/4tM7iH6kGjDsfmEa69TG9K+xGF
MIME-Version: 1.0
X-Received: by 10.182.120.40 with SMTP id kz8mr39043091obb.6.1394634230361; Wed, 12 Mar 2014 07:23:50 -0700 (PDT)
Received: by 10.182.142.198 with HTTP; Wed, 12 Mar 2014 07:23:50 -0700 (PDT)
In-Reply-To: <53204F9E.7000507@comodo.com>
References: <544B0DD62A64C1448B2DA253C011414607C70EAF9E@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <531EE6A6.7000007@comodo.com> <544B0DD62A64C1448B2DA253C011414607C77BCCBE@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <53204F9E.7000507@comodo.com>
Date: Wed, 12 Mar 2014 14:23:50 +0000
Message-ID: <CALzYgEf-=7+XpBYgV-+0ijq-whRsn9gam7AELERZfof-TJ5uEg@mail.gmail.com>
From: Eran Messeri <eranm@google.com>
To: Rob Stradling <rob.stradling@comodo.com>
Content-Type: multipart/alternative; boundary="089e0139fc3ae490ce04f46995ea"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/ikWBBK0j2P5zKM63ykQEAH_0OM8
Cc: "trans@ietf.org" <trans@ietf.org>, Rick Andrews <Rick_Andrews@symantec.com>
Subject: Re: [Trans] Question about PRIVATE option (Ticket #1)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Mar 2014 14:24:01 -0000
IMHO Option (ii) is the most straightforward solution. Option (iii) exposes the client to further complication (supporting private subdomains already complicates the client code). For SCT v2 (should we decide to have one) the entry_type could be an optional field outside the extensions. On Wed, Mar 12, 2014 at 12:14 PM, Rob Stradling <rob.stradling@comodo.com>wrote: > On 11/03/14 20:35, Rick Andrews wrote: > >> Rob, >> >> What you're suggesting is that the add-pre-chain command can be used to >> log a cert that ultimately will not include the SCTs in the final cert? >> > > Yes. > > > That seems like a path forward. >> > > Great. > > > For the slight complication you describe, I suppose that needs to be >> added to the issue tracker. >> > > Yes. I just wanted to check that it would work for you before I did that. > > I've just added http://trac.tools.ietf.org/wg/trans/trac/ticket/10 > > > -Rick >> >> -----Original Message----- >>> From: Rob Stradling [mailto:rob.stradling@comodo.com] >>> Sent: Tuesday, March 11, 2014 3:34 AM >>> To: Rick Andrews; trans@ietf.org >>> Subject: Re: [Trans] Question about PRIVATE option (Ticket #1) >>> >>> Rick, thanks for raising this. I agree that we need to make the >>> PRIVATE >>> option work in these scenarios. As it happens, I mentioned this to Ben >>> just before the trans meeting last week. >>> >>> My suggestion is that we should permit both Certificate SCTs _and >>> Precertificate SCTs_ to be delivered via OCSP Stapling and the TLS >>> Extension. >>> >>> There's no reason why a Precertificate couldn't be issued _after_ the >>> corresponding Certificate has been issued! :-) >>> >>> Would this work for you? >>> >>> >>> Slight complication... >>> In the SCT v1 format, entry_type is "implicit from the context in which >>> the SCT is presented." >>> So, for the above idea to work, we would need to either: >>> i) Define SCT v2, in which entry_type is expressed explicitly. >>> or >>> ii) Define a CtExtensions extension to carry the entry_type >>> explicitly in a v1 SCT. >>> or >>> iii) Expect TLS Clients to attempt to verify v1 SCTs sent via OCSP >>> Stapling or the TLS Extension twice (first time, assume entry_type is >>> "x509_entry"; if the SCT signature doesn't verify, try again, this time >>> assuming entry_type is "precert_entry"). >>> >>> On 10/03/14 18:58, Rick Andrews wrote: >>> >>>> Regarding Issue #1: _http://tools.ietf.org/wg/trans/trac/ticket/1#_ >>>> "Need options for avoiding logging private subdomains", I think the >>>> design is not yet complete. >>>> I understand how this works when my customer has chosen the precert >>>> delivery option (I mask the second level domain in the precert that I >>>> send with the add-pre-chain command). >>>> But if my customer has chosen to deliver SCTs via OCSP staple or TLS >>>> extension, and they want to keep their subdomain private, what do I >>>> >>> do? >>> >>>> I'm going to sign the cert without SCTs in it, but if I log it via an >>>> add-chain command, the subdomains will be visible in the log. >>>> -Rick >>>> >>> >>> -- >>> Rob Stradling >>> Senior Research & Development Scientist >>> COMODO - Creating Trust Online >>> >> >> _______________________________________________ >> Trans mailing list >> Trans@ietf.org >> https://www.ietf.org/mailman/listinfo/trans >> >> > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > Office Tel: +44.(0)1274.730505 > Office Fax: +44.(0)1274.730909 > www.comodo.com > > COMODO CA Limited, Registered in England No. 04058690 > Registered Office: > 3rd Floor, 26 Office Village, Exchange Quay, > Trafford Road, Salford, Manchester M5 3EQ > > This e-mail and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this email in error please notify the > sender by replying to the e-mail containing this attachment. Replies to > this email may be monitored by COMODO for operational or business reasons. > Whilst every endeavour is taken to ensure that e-mails are free from > viruses, no liability can be accepted and the recipient is requested to use > their own virus checking software. > > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans >
- [Trans] Question about PRIVATE option (Ticket #1) Rick Andrews
- Re: [Trans] Question about PRIVATE option (Ticket… Rob Stradling
- Re: [Trans] Question about PRIVATE option (Ticket… Rick Andrews
- Re: [Trans] Question about PRIVATE option (Ticket… Rob Stradling
- Re: [Trans] Question about PRIVATE option (Ticket… Eran Messeri
- Re: [Trans] Question about PRIVATE option (Ticket… Rob Stradling
- [Trans] Another Question about the PRIVATE option… Rick Andrews
- Re: [Trans] Another Question about the PRIVATE op… Ben Laurie
- Re: [Trans] Another Question about the PRIVATE op… Rob Stradling
- Re: [Trans] Another Question about the PRIVATE op… Phillip Hallam-Baker
- Re: [Trans] Another Question about the PRIVATE op… Daniel Kahn Gillmor
- Re: [Trans] Another Question about the PRIVATE op… Ben Laurie
- Re: [Trans] Another Question about the PRIVATE op… Daniel Kahn Gillmor
- Re: [Trans] Another Question about the PRIVATE op… Ben Laurie
- Re: [Trans] Another Question about the PRIVATE op… Ben Laurie