Re: [Trans] [saag] draft-iab-crypto-alg-agility-00

Phillip Hallam-Baker <hallam@gmail.com> Fri, 11 April 2014 00:55 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 247FB1A03A7; Thu, 10 Apr 2014 17:55:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SkwAU1FyMcZ3; Thu, 10 Apr 2014 17:55:08 -0700 (PDT)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) by ietfa.amsl.com (Postfix) with ESMTP id 10A911A03A1; Thu, 10 Apr 2014 17:55:06 -0700 (PDT)
Received: by mail-lb0-f169.google.com with SMTP id q8so2939680lbi.14 for <multiple recipients>; Thu, 10 Apr 2014 17:55:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=AKmOZQDPIFme3IxhVEhUPT8JOKQREuw4RSbU4ocv1q8=; b=jtSv0+Oqt9sM+gwBiF84azkZr2s0PQLQAxXr72OkO3Mkm530TPYbBYp1BxKWolpeUP RPoW9STdjPZkouwVMClwvXbxZSBSNuh+/PADDmgvpjQd3i6iXwsAI0GjCXId2BSjkVHm m6Nl7WtnCQG8zISpdMp8a+WlaTp1/F2R0UrI2m5s3YNkQrREYM/K6U23VNgYRnR4B4mm 9GF9Dr/VrkQbysWMPAmTM0HSi5WTjlakAGbyC6PfFy8O1qsuKgLxsN/lRH22ce4o4ymQ i+anLIaDi/Vh4Nqm/UnhZS0o0lCYbmmW8VRG+TQpWnwsjiktnI3i7Z9qAcJj6ZnswZ2g p3gA==
MIME-Version: 1.0
X-Received: by 10.112.201.1 with SMTP id jw1mr4805lbc.47.1397177705193; Thu, 10 Apr 2014 17:55:05 -0700 (PDT)
Received: by 10.112.234.229 with HTTP; Thu, 10 Apr 2014 17:55:04 -0700 (PDT)
In-Reply-To: <CABrd9SSEz37r6qqaQci1a9MH0e+uxChf9QhYMAvgyYPn7GkP3w@mail.gmail.com>
References: <5999195E-9073-4649-A224-BF71BA61CBAF@vigilsec.com> <CAG5KPzzqSQ++YpQcnYesecL0GQ0+J0ieMXBrNk6txMAC58xEQQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120A04EBD0@USMBX1.msg.corp.akamai.com> <6.2.5.6.2.20140406121529.0bd2d730@resistor.net> <2A0EFB9C05D0164E98F19BB0AF3708C7120A04EBD7@USMBX1.msg.corp.akamai.com> <CAG5KPzxihe+k0x0njC+BANacmrrQyfU5RAY_EYcMYW2rx8DZfw@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120A04ED14@USMBX1.msg.corp.akamai.com> <CAG5KPzzzmJhcPfs0cJuS3f8Lu_Rua9dj0XWaOZ0RQ0Mwyd+egw@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120AC18663@USMBX1.msg.corp.akamai.com> <CABrd9SQaGTFzRaaxs7HNJ7uD_Bb=qPtCtTTsu-ZFYh+QAduzsg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120AC188A7@USMBX1.msg.corp.akamai.com> <CABrd9SQpaDn=FWCtpRxOprt1nus_Fbg6a9dpbDrdjoWi=H8NBg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120AC188BB@USMBX1.msg.corp.akamai.com> <CABrd9SRjvexZb5-qo_PsQNLu9BSxbH1zUOCYtomzutXF68j2ZA@mail.gmail.com> <CADqLbzK=gC7Lv3bkS33i=3x2sM1rTWrT_DejryTcBTTM97uQHQ@mail.gmail.com> <CAMm+LwiW-nweMwnVUoLOUoAfWaQKjbws9tw20oma0GM=XahgQg@mail.gmail.com> <CABrd9SSEz37r6qqaQci1a9MH0e+uxChf9QhYMAvgyYPn7GkP3w@mail.gmail.com>
Date: Thu, 10 Apr 2014 20:55:04 -0400
Message-ID: <CAMm+LwgttEr8f_31ghfbK9Dm+5xttO8nMj+m7xVtBqXepr62gQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Ben Laurie <benl@google.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/mTn4qqsd0bLo7WmcxjwsxKvl_So
Cc: "Salz, Rich" <rsalz@akamai.com>, "trans@ietf.org" <trans@ietf.org>, Dmitry Belyavsky <beldmit@gmail.com>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [Trans] [saag] draft-iab-crypto-alg-agility-00
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Apr 2014 00:55:18 -0000

On Wed, Apr 9, 2014 at 9:13 AM, Ben Laurie <benl@google.com> wrote:
> On 9 April 2014 01:49, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>> Since TRANS is joined to X.509 at the hip, how about we just shovel
>> all the metadata describing the configuration of the notary into the
>> certificate that signs the notary log outputs periodically?
>
> I guess if you are a CA everything looks like a certificate.
> Currently, logs do not use certificates to manage their own keys. I
> guess they could. But I thought you preferred JSON for new stuff?

I do, but I also prefer to avoid long discussions that I don't think I
am going to win.

As a general matter, most mechanisms that manage keys are likely to
generate X.509v3 certificates or CRSs as a by product. Even some of
the DNSSEC stuff generates them.


>> I am assuming here that the signing hierarchy for the log has an
>> offline key that periodically signs the online key.
>
> Again, currently, no. Seems to me that you can introduce a lot of
> complication this way not needed for the only known client use case
> (deployment in Chrome). Not against specifying it, to be clear, but
> unsure it should live in the same doc. Or hold it up.

I tend to think that anyone who would check cert status against TRANS
is already doing X.509v3 and bar

-- 
Website: http://hallambaker.com/