Re: [Trans] path validation
Stephen Kent <kent@bbn.com> Wed, 01 October 2014 14:34 UTC
Return-Path: <kent@bbn.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EE0E1ACDE5 for <trans@ietfa.amsl.com>; Wed, 1 Oct 2014 07:34:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.986
X-Spam-Level:
X-Spam-Status: No, score=-4.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nABQE_Pr5I68 for <trans@ietfa.amsl.com>; Wed, 1 Oct 2014 07:34:26 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 409E91ACDB9 for <trans@ietf.org>; Wed, 1 Oct 2014 07:34:25 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:40949 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1XZKzG-0005Pi-P5 for trans@ietf.org; Wed, 01 Oct 2014 10:34:39 -0400
Message-ID: <542C10ED.2060902@bbn.com>
Date: Wed, 01 Oct 2014 10:34:21 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: trans@ietf.org
References: <54296FB2.1060109@bbn.com> <4262AC0DB9856847A2D00EF817E81139233695@scygexch10.cygnacom.com> <544B0DD62A64C1448B2DA253C011414607D1629838@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <4262AC0DB9856847A2D00EF817E8113923370C@scygexch10.cygnacom.com> <544B0DD62A64C1448B2DA253C011414607D162989C@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <20140930005524.GP16215@hezmatt.org>
In-Reply-To: <20140930005524.GP16215@hezmatt.org>
Content-Type: multipart/alternative; boundary="------------060308070005010308000001"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/mQvvqnqzdseoQ5PH0WIsfv1fz24
Subject: Re: [Trans] path validation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 14:34:27 -0000
Matt, > Logs shouldn't be enforcing *anything*. A log isn't a judge, it's a > record. The only constraints on what should be rejected from being > accepted by a log should be those things which prevent abuse > sufficient to render a log unusable. That's a very simple, strong assertion, but it isn't accompanied by a rationale. I agree that the current description of a log focuses on recording cert info, but it already includes an element of "judgement" since it has a list of the root CAs that must anchor the cert chains that it will accept. If we stick with the detection of mis-issuance rationale that the document asserts as the goal for CT, and if we define mis-issuance as broadly as Ben suggested in response to my first cut at a defintiion, with his specific references to EV certs and key sizes, then we have to check certs against those criteria at some place in the system. The current design appears to call for Monitors to do this, and one could stick with that approach. The description of Monitors says that " They alsowatch for certificates of interest." I interpret this to mean that a Monitor has a list of certs, or of Subject names and keys, that it is "protecting." If a Subject does not run its own Monitor, and it it doesn't arrange for some other entity to act as a Monitor to protect the Subject's certs, then no checking for syntactic mis-issuance will take place. That observation motivates exploring the notion of having logs perform the function. By so doing we have an opportunity to perform detection of syntactic mis-issuance for every logged cert, a service to the broad Web PKI community. It seems as though some are arguing that if a log rejects certs that fail to meet the syntactic criteria this is a bad thing, because it will deter logging of certs. I thought the CT design makes a counter argument, i.e., that CAs are motivated to log certs because, over time, TLS clients will reject connections to servers when there is no evidence of an SCT. if this argument is true, then having logs check for syntactic mis-issuance is a good thing. If the argument is not true, it should not be part of the "why CT will work" description. Steve
- [Trans] path validation Stephen Kent
- Re: [Trans] path validation Santosh Chokhani
- Re: [Trans] path validation Rick Andrews
- Re: [Trans] path validation Santosh Chokhani
- Re: [Trans] path validation Rick Andrews
- Re: [Trans] path validation David Leon Gil
- Re: [Trans] path validation Santosh Chokhani
- Re: [Trans] path validation Rick Andrews
- Re: [Trans] path validation Melinda Shore
- Re: [Trans] path validation Matt Palmer
- Re: [Trans] path validation Jeremy Rowley
- Re: [Trans] path validation Melinda Shore
- Re: [Trans] path validation Kyle Hamilton
- Re: [Trans] path validation Stephen Kent
- Re: [Trans] path validation Stephen Kent
- Re: [Trans] path validation Stephen Kent
- Re: [Trans] path validation David Leon Gil
- Re: [Trans] path validation Carl Wallace
- Re: [Trans] path validation Stephen Farrell
- Re: [Trans] path validation Rob Stradling
- Re: [Trans] path validation Stephen Kent
- Re: [Trans] path validation Stephen Kent
- Re: [Trans] path validation Stephen Kent
- Re: [Trans] path validation Russ Housley
- Re: [Trans] path validation David Leon Gil
- Re: [Trans] path validation Stephen Kent