[Trans] [trans] #80 (client-behavior): Re-introduce the issuer key hash into the Precertificate
"trans issue tracker" <trac+trans@tools.ietf.org> Tue, 31 March 2015 09:24 UTC
Return-Path: <trac+trans@tools.ietf.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49CEC1A1B48 for <trans@ietfa.amsl.com>; Tue, 31 Mar 2015 02:24:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5tLerLNb0BDD for <trans@ietfa.amsl.com>; Tue, 31 Mar 2015 02:24:25 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:123a::1:2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D5D61A1B40 for <trans@ietf.org>; Tue, 31 Mar 2015 02:24:25 -0700 (PDT)
Received: from localhost ([::1]:54273 helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from <trac+trans@tools.ietf.org>) id 1YcsPI-0004dM-FP; Tue, 31 Mar 2015 02:24:24 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: trans issue tracker <trac+trans@tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: draft-ietf-trans-rfc6962-bis@tools.ietf.org, eranm@google.com
X-Trac-Project: trans
Date: Tue, 31 Mar 2015 09:24:24 -0000
X-URL: http://tools.ietf.org/trans/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/trans/trac/ticket/80
Message-ID: <056.7955c32a9fd14002205eaf236136fda6@tools.ietf.org>
X-Trac-Ticket-ID: 80
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: draft-ietf-trans-rfc6962-bis@tools.ietf.org, eranm@google.com, trans@ietf.org
X-SA-Exim-Mail-From: trac+trans@tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Resent-To: draft-ietf-trans-rfc6962-bis@ietf.org
Resent-Message-Id: <20150331092425.1D5D61A1B40@ietfa.amsl.com>
Resent-Date: Tue, 31 Mar 2015 02:24:25 -0700
Resent-From: trac+trans@tools.ietf.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/k0WBIcZOTZZqRwpsZyvUZ2ZAl9Y>
Cc: trans@ietf.org
Subject: [Trans] [trans] #80 (client-behavior): Re-introduce the issuer key hash into the Precertificate
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 09:24:26 -0000
#80: Re-introduce the issuer key hash into the Precertificate In the current draft (07), when the entry_type in the SignedCertificateTimestamp is precert_entry_V2, the only thing included in the signature is the TBSCertificate. The issuer key identifier is not included - the implication being that an SCT for a precertificate would be valid regardless of who the final issuer will be, so the submitter of the precertificate is may not be bound to it in the SCT. (The Authority Key Identifier, https://tools.ietf.org/html/rfc5280#section-4.2.1.1, should uniquely identify the issuer but AIUI this could be the key or the issuer name and serial number and Rob Stradling pointed out that on some platforms the requirement this matches the issuer may not be enforced, as the stated goal of this extension is to facilitate path building). I propose re-introducing the issuer key hash and using it for X.509 certificates in case ticket #4 is accepted (signing TBSCertificate for X.509 certificates as well). -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-trans- eranm@google.com | rfc6962-bis@tools.ietf.org Type: defect | Status: new Priority: major | Milestone: Component: client- | Version: behavior | Keywords: Severity: - | -------------------------+------------------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/80> trans <http://tools.ietf.org/trans/>
- [Trans] [trans] #80 (client-behavior): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… Stephen Kent
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… Rob Stradling
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker
- Re: [Trans] [trans] #80 (rfc6962-bis): Re-introdu… trans issue tracker