Re: [Trans] Certificate verification
Stephen Kent <kent@bbn.com> Tue, 21 October 2014 15:46 UTC
Return-Path: <kent@bbn.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 605B01A8867 for <trans@ietfa.amsl.com>; Tue, 21 Oct 2014 08:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.81
X-Spam-Level:
X-Spam-Status: No, score=-2.81 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JW5fNWC5NE2u for <trans@ietfa.amsl.com>; Tue, 21 Oct 2014 08:46:26 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B26421A87EF for <trans@ietf.org>; Tue, 21 Oct 2014 08:46:26 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:37827 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Xgbds-0003ol-0S for trans@ietf.org; Tue, 21 Oct 2014 11:46:41 -0400
Message-ID: <54467FCA.4090200@bbn.com>
Date: Tue, 21 Oct 2014 11:46:18 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: trans@ietf.org
References: <871tq6uaf1.fsf@nordberg.se> <CABrd9STBA9jh6oHXBzEgUD73rWDRbgrFZc69H5tHOzD4Cw=WHg@mail.gmail.com> <87ppdmhqg7.fsf@nordberg.se> <alpine.LFD.2.10.1410201340380.1071@bofh.nohats.ca> <87zjcqjuio.fsf@nordberg.se> <20141020222758.GQ16429@hezmatt.org>
In-Reply-To: <20141020222758.GQ16429@hezmatt.org>
Content-Type: multipart/alternative; boundary="------------020905030705090205000802"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/kDGsYmEDSCpSHANJV5LAgxVoMgE
Subject: Re: [Trans] Certificate verification
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 15:46:33 -0000
Matt, Fair question. If attribution is not possible, because we choose to not require chaining to a root accepted by the log (as currently called for) then the attack analysis will be updated to reflect this loss of security functionality in those cases. Note that my proposal to allow (not require) logs to perform syntactic checks, and to note the result of such checks, is compatible with logs that choose to not perform even basic path validation. It would be another class of (non) checks that can be registered in the proposed IANA registry and reported by a log. Also, if basic path validation is not performed, a log should advertise that, just as it should advertise the set of root CAs that it does check. This allows Monitors and clients to know what the log says it is doing, so that others do not have to guess or learn by some unspecified, OOB means. I suggest another registry entry for logging self-signed certs will make sense too, if 6962-bis stops excluding them. Steve > Is attribution critical for the core functionality of CT? (I know this goes > back to the "purpose of CT" thread that Stephen's done a lot of work > defining, and I've got to get around to participating in that thread) While > I agree that the remediation mechanisms available increase if you know which > root CA to hassle to get a cert revoked, knowledge that a cert was issued > still has *some* value, even if there's no clear indication of who issued it > (in a fanciful future of infinite storage, where self-signed certs were > accepted in logs). > > - Matt >
- [Trans] Certificate verification Linus Nordberg
- Re: [Trans] Certificate verification Matt Palmer
- Re: [Trans] Certificate verification Linus Nordberg
- Re: [Trans] Certificate verification Ben Laurie
- Re: [Trans] Certificate verification Ben Laurie
- Re: [Trans] Certificate verification Linus Nordberg
- Re: [Trans] Certificate verification Paul Wouters
- Re: [Trans] Certificate verification Linus Nordberg
- Re: [Trans] Certificate verification Matt Palmer
- Re: [Trans] Certificate verification Matt Palmer
- Re: [Trans] Certificate verification Ben Laurie
- Re: [Trans] Certificate verification Stephen Kent