Re: [Trans] Angle brackets in the PRIVATE option (Ticket #1)

Peter Bowen <pzbowen@gmail.com> Mon, 31 March 2014 13:44 UTC

Return-Path: <pzbowen@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5897C1A0A19 for <trans@ietfa.amsl.com>; Mon, 31 Mar 2014 06:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.878
X-Spam-Level:
X-Spam-Status: No, score=-0.878 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUIauh-iTIqk for <trans@ietfa.amsl.com>; Mon, 31 Mar 2014 06:44:39 -0700 (PDT)
Received: from mail-pb0-x230.google.com (mail-pb0-x230.google.com [IPv6:2607:f8b0:400e:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 55EBE1A0A17 for <trans@ietf.org>; Mon, 31 Mar 2014 06:44:38 -0700 (PDT)
Received: by mail-pb0-f48.google.com with SMTP id md12so8159103pbc.7 for <trans@ietf.org>; Mon, 31 Mar 2014 06:44:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=D0Eeb0X5UI9HTPu9AilKo7A3niV0d23dF9+grCOOxU4=; b=sPXE3DUG0HrJmdB/VEmDo9VHnJAAXvol3t+F6c+YB1bgFTnpShInUWlPWDnc0F8zrJ VKvrQuE9I0WL3QQRK2Ud4Tx77jIWvj1BthIbdjJ38zmK6JrsBaQaIJ8t+Vr7hOKsaR7k MEf46l+FS6aixLyugFQCsi1MZ4fpYlRzZXuP0k3ez5D2okyIpu1B8SoqpURlyCv3JXbj aJyA4SDZWxHDAsz6DepBNuroY40mehwerMh4AvlrKYAawuf9g36VnpeUrCa9Oqk/J6oC tKJJf+iMdFl7mRiwqE5oEV/G5kd2SI4elqDy2tPcIAXxkKN2Z0s8IqktTlowEkcMcl+E qzvQ==
MIME-Version: 1.0
X-Received: by 10.68.34.197 with SMTP id b5mr25426049pbj.16.1396273475314; Mon, 31 Mar 2014 06:44:35 -0700 (PDT)
Received: by 10.70.131.16 with HTTP; Mon, 31 Mar 2014 06:44:35 -0700 (PDT)
In-Reply-To: <53393F1F.6080005@comodo.com>
References: <544B0DD62A64C1448B2DA253C011414607C85F3902@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAK6vND-NToUO3FgC-Tp-nykj-LYpDQE0AewJeF5oUHow6XSLSQ@mail.gmail.com> <53393F1F.6080005@comodo.com>
Date: Mon, 31 Mar 2014 06:44:35 -0700
Message-ID: <CAK6vND88x3PFM1Ay9ebwRBCabJMrjLH=c7xMtKWBJhOuwMJ-pw@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
To: Rob Stradling <rob.stradling@comodo.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/j7G0PSoW_5UjGMNek3TIAzgpzpE
Cc: "trans@ietf.org" <trans@ietf.org>, Rick Andrews <Rick_Andrews@symantec.com>
Subject: Re: [Trans] Angle brackets in the PRIVATE option (Ticket #1)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Mar 2014 13:44:40 -0000

On Mon, Mar 31, 2014 at 3:10 AM, Rob Stradling <rob.stradling@comodo.com> wrote:
> On 29/03/14 03:24, Peter Bowen wrote:
>> Instead of having "<PRIVATE>", what about replacing the redacted
>> string with a prefixed checksum of the part?
>>
>> Assuming we specify CRC-32 with "+" as the prefix,
>> "mail.corp.example.com" would become "+6f993bb2.example.com".  [...]
>> This has the benefit of providing
>> privacy while allowing stronger matching of the certificate.
>
> The aim of the PRIVATE option is to keep sub-domain names _completely
> hidden_ from the Log, so I think that revealing any information about them
> is problematic.

If _completely_hidden_ is the requirement, then I agree that any
option that is no f(x) = 1 (for fixed values of 1) fails.

Why have the long string "(PRIVATE)" at all then?  Would a single '?'
not be adequate?  I don't think you will ever find '?' in a real
dNSName.
On a related note, is there any plan to support blinding other general
name options?  Can email addresses in rfc822Name or ipAddresses be
blinded?

Thanks,
Peter