Re: [Trans] DNSSEC also needs CT
Phillip Hallam-Baker <hallam@gmail.com> Sun, 11 May 2014 15:20 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 665771A0258 for <trans@ietfa.amsl.com>; Sun, 11 May 2014 08:20:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7DvXe0ztYL3C for <trans@ietfa.amsl.com>; Sun, 11 May 2014 08:20:24 -0700 (PDT)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) by ietfa.amsl.com (Postfix) with ESMTP id E99861A0259 for <trans@ietf.org>; Sun, 11 May 2014 08:20:23 -0700 (PDT)
Received: by mail-wg0-f46.google.com with SMTP id n12so5911503wgh.29 for <trans@ietf.org>; Sun, 11 May 2014 08:20:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=lA5XAm0f8cQP9lf+J3mf2zBQu4Ql/RmmjWqv4p+bb3g=; b=PdmzUo9GxtguYroTNAFXkRYLx/rXzJdz1Su/NAE2D2YU4mlHPrvkuGPS45wNiVLTx2 2OQo0xnzsEjCIa2fwZt9NLjdqJkZ+7c3Tuso6EJaBvr5XCyalbTtuVnquxoMk8j4qdx1 H0H0kyCSodSa7QFnNoxK4+GCRxcg70aHNFp2mRzvYXUmfgCg7O0bUquI7nYyUGRk3aUv s1bUb9uyeD3i06PKS0ZEihxpEsyKa8i4nxkZ8N3ptFQ+j90XYau3sNBVGN0CE9/5FxJr pojnNHjPEtem0Ne/6SOOCSF7B3ooLZQ4cnsxLHlLtHKOihJC2DT0Yu0cZzn0Aql3wmy8 BQmg==
MIME-Version: 1.0
X-Received: by 10.180.105.72 with SMTP id gk8mr11759124wib.32.1399821617801; Sun, 11 May 2014 08:20:17 -0700 (PDT)
Received: by 10.194.157.9 with HTTP; Sun, 11 May 2014 08:20:17 -0700 (PDT)
In-Reply-To: <536F8BC4.5070405@fifthhorseman.net>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <CAMm+Lwieij8Tm8V-gpE0eAfwie1dgtFL_Ga8dPkJFKJKLQDAcA@mail.gmail.com> <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com> <CAHw9_iKpN7AXfrH6SzroMukrKTPR5z24U9KfWpVW-F2R_wX3ag@mail.gmail.com> <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca> <536F8BC4.5070405@fifthhorseman.net>
Date: Sun, 11 May 2014 11:20:17 -0400
Message-ID: <CAMm+LwjKDvi22SHLRDuEq=v4BXsD1_EyvCeuUxZBk7YDcLpr8w@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/lzSjPmPkfAkYaOm5Oep6HojPooE
Cc: "trans@ietf.org" <trans@ietf.org>, Paul Wouters <paul@nohats.ca>, Warren Kumari <warren@kumari.net>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 May 2014 15:20:31 -0000
What I think this discussion is really uncovering is that we don't really have a model for how CT is applied to WebPKI certificates. All the questions raised in the DNSSEC discussion seem to be predicated on assumptions as to how CT logs are managed that are outside the spec. Which is why having the DNSSEC discussion now is useful. I don't like specs that are based on unwritten assumptions. That leads to a situation where implementations have to understand folklore. In particular, does CA = log maintainer? For DNSSEC there seem to be a lot of unnecessary assumptions being made. I certainly don't think everyone wants to run their own CT log for DNSSEC. And there would be little value in the scheme if they did. The value of a CT log depends in part on aggregation. Another unnecessary assumption is that any log maintainer would have to be a CABForum member. Membership in the forum has no impact on root inclusion or CT. The only requirement for root inclusion is acceptance by the root maintainer, most of which adopt the CABForum EV and BR criteria. The most important part there being audit. It is probably fair to assume that CT logs will be maintained by CAs but it would be entirely practical for an open service to be established. The criteria are rather simpler to enforce than certificate issue. It might or might not be desirable to require some sort of certificate chain to some sort of root. But any such chain does not need to be the only validation chain PKIX supports cross certificates and an end-entity certificate may be legitimately accredited to multiple roots. The main question is what purpose a CT log for DNSSEC would serve. For me the value would be to protect my domain against having it stolen by ICANN. The idea that we should put trust or faith in an organization extorting $250,000 for domains is ridiculous. And so is the fact that IESG members have told me that they don't think they should make that kind of comment even if true because of 'politics'. If you don't like your WebPKI CA then you can get another. And that means the costs are competitive. But ICANN has a monopoly and a rent seeking management. Deploying CT to establish an independent claim on the domains makes perfect sense.
- [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Mehner, Carl
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Warren Kumari
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Salz, Rich
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- [Trans] Volunteer opportunity! (was Re: DNSSEC al… Melinda Shore
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.1 (5) Re: DNSSEC also needs … Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 7.971 (5) Re: ***SPAM*** 8.1 (… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- [Trans] ***SPAM*** 8.1 (5) Re: Re: DNSSEC also ne… Daniel Kahn Gillmor
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Melinda Shore
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… i-barreira
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- [Trans] trans doc issues Stephen Kent