IETF Logo Mail Archive

Re: [Trans] path validation

Stephen Kent <kent@bbn.com> Wed, 01 October 2014 14:34 UTC

Return-Path: <kent@bbn.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EE0E1ACDE5 for <trans@ietfa.amsl.com>; Wed, 1 Oct 2014 07:34:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.986
X-Spam-Level:
X-Spam-Status: No, score=-4.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nABQE_Pr5I68 for <trans@ietfa.amsl.com>; Wed, 1 Oct 2014 07:34:26 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 409E91ACDB9 for <trans@ietf.org>; Wed, 1 Oct 2014 07:34:25 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:40949 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1XZKzG-0005Pi-P5 for trans@ietf.org; Wed, 01 Oct 2014 10:34:39 -0400
Message-ID: <542C10ED.2060902@bbn.com>
Date: Wed, 01 Oct 2014 10:34:21 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: trans@ietf.org
References: <54296FB2.1060109@bbn.com> <4262AC0DB9856847A2D00EF817E81139233695@scygexch10.cygnacom.com> <544B0DD62A64C1448B2DA253C011414607D1629838@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <4262AC0DB9856847A2D00EF817E8113923370C@scygexch10.cygnacom.com> <544B0DD62A64C1448B2DA253C011414607D162989C@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <20140930005524.GP16215@hezmatt.org>
In-Reply-To: <20140930005524.GP16215@hezmatt.org>
Content-Type: multipart/alternative; boundary="------------060308070005010308000001"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/mQvvqnqzdseoQ5PH0WIsfv1fz24
Subject: Re: [Trans] path validation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 14:34:27 -0000

Matt,
> Logs shouldn't be enforcing *anything*. A log isn't a judge, it's a 
> record. The only constraints on what should be rejected from being 
> accepted by a log should be those things which prevent abuse 
> sufficient to render a log unusable. 
That's a very simple, strong assertion, but it isn't accompanied by a 
rationale.

I agree that the current description of a log focuses on recording cert
info, but it already includes an element of "judgement" since it has
a list of the root CAs that must anchor the cert chains that it will accept.

If we stick with the detection of mis-issuance rationale that the document
asserts as the goal for CT, and if we define mis-issuance as broadly as Ben
suggested in response to my first cut at a defintiion, with his specific 
references
to EV certs and key sizes, then we have to check certs against those 
criteria at some
place in the system.

The current design appears to call for Monitors to do this, and one 
could stick
with that approach. The description of Monitors says that " They 
alsowatch for
certificates of interest." I interpret this to mean that a Monitor has a 
list
of certs, or of Subject names and keys, that it is "protecting." If a 
Subject
does not run its own Monitor, and it it doesn't arrange for some other 
entity
to act as a Monitor to protect the Subject's certs, then no checking for
syntactic mis-issuance will take place. That observation motivates 
exploring the
notion of having logs perform the function. By so doing we have an 
opportunity to
perform detection of syntactic mis-issuance for every logged cert, a 
service to
the broad Web PKI community.

It seems as though some are arguing that if a log rejects certs that 
fail to meet
the syntactic criteria this is a bad thing, because it will deter 
logging of certs.

I thought the CT design makes a counter argument, i.e., that CAs are 
motivated
to log certs because, over time, TLS clients will reject connections to 
servers
when there is no evidence of an SCT. if this argument is true, then 
having logs
check for syntactic mis-issuance is a good thing. If the argument is not 
true,
it should not be part of the "why CT will work" description.

Steve

v2.23.0 | Report a Bug | By Email