[Trans] Fwd: Certificate Transparency with Russian GOST algorithms

Melinda Shore <melinda.shore@gmail.com> Tue, 11 March 2014 18:36 UTC

Return-Path: <melinda.shore@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 71A241A0788 for <trans@ietfa.amsl.com>; Tue, 11 Mar 2014 11:36:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 3H0YLzyb57Zj for <trans@ietfa.amsl.com>; Tue, 11 Mar 2014 11:36:44 -0700 (PDT)
Received: from mail-pa0-x233.google.com (mail-pa0-x233.google.com [IPv6:2607:f8b0:400e:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id B5CEB1A07B0 for <trans@ietf.org>; Tue, 11 Mar 2014 11:36:42 -0700 (PDT)
Received: by mail-pa0-f51.google.com with SMTP id kq14so9216552pab.38 for <trans@ietf.org>; Tue, 11 Mar 2014 11:36:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=rXRRIiqC/i2bYMDcsclfLch4hfqms+4AZ1Y8k3gGrF4=; b=ca/6eL+59vJZD2E/M3YhsahEeonoyOZ0ZnX7xqAgSpyExKPh1V+d/161bmLXp0jYfA jcbDoH1UHtA9xhVXGhTuCaW4YWFeC7VSzMn3V0i/EdSfInYuUJ2pQHgAOVo9hiYtzOb9 TWbvhmZTNtbKUKOR3NYMp5eDNmXI5KMcN9JVD73G4jeylCnr9TgdL6uL4qLj8oREslKO LGlE4x6OV2oN0yEMBqNn1NXVbXCTDXDImh/wC5gX/64beJ/eBsWCZOKOM96WucMCdAGa n0DHVThjj5+LIgWhWWX8vPrJ4XPm/NPQ592qtU8ASwBgSwModz2KIdiKNEYd08au90vW FM7g==
X-Received: by with SMTP id yi10mr49046242pab.95.1394562997021; Tue, 11 Mar 2014 11:36:37 -0700 (PDT)
Received: from spandex.local (209-112-197-35-rb1.nwc.dsl.dynamic.acsalaska.net. []) by mx.google.com with ESMTPSA id sy2sm76880997pbc.28.2014. for <trans@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 11 Mar 2014 11:36:36 -0700 (PDT)
Message-ID: <531F57B2.6030505@gmail.com>
Date: Tue, 11 Mar 2014 10:36:34 -0800
From: Melinda Shore <melinda.shore@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: "trans@ietf.org" <trans@ietf.org>
References: <531F530B.4040703@tcinet.ru>
In-Reply-To: <531F530B.4040703@tcinet.ru>
X-Forwarded-Message-Id: <531F530B.4040703@tcinet.ru>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/n8ih177I5OxJt8KTQLzY2mh_raw
Subject: [Trans] Fwd: Certificate Transparency with Russian GOST algorithms
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 18:36:46 -0000

For some reason Dmitry's mail is not arriving at the
IETF server, so I thought I would forward it myself.


-------- Original Message --------
Subject: Certificate Transparency with Russian GOST algorithms
Date: Tue, 11 Mar 2014 22:16:47 +0400
From: Dmitry Belyavsky <beldmit@tcinet.ru>
To: trans@ietf.org
CC: melinda.shore@gmail.com

Hi all!

Here are some thoughts about using CT in Russia with Russian
cryptographic algorithms (GOST). They were discussed with Ben Laurie
during the IETF meeting in London. I am not sure which mailing list is
the right place to post to, so I post it to the WG mailing list.

Laws and practice in Russia requires using of the GOST hash and digital
signature in X.509 certificates for government services. These
certificates are signed by Russians CAs which are not in lists of
trusted CAs in major browsers. It is not a problem to create an
installation of log server in Russia containing the list of Russian CAs.
But Russia-based service should use the GOST hash algorithm in the
Merkle tree and GOST signature algorithm for signing SCT. It seems to be
not a problem because if GOST-based certificates are submitted to
GOST-based log, browsers not understanding the GOST algorithms will not
have to verify GOST-based SCTs. But also it means that the hashing
algorithm of Merkle tree should become the config-time parameter of the
log instance instead of being hardcoded. Also it should be possible to
find out which algorithm is used in this or that log instance and it
should be strictly prohibited to change this algorithm after start of
the log instance. It seems to be a good idea anyway because of the
requirements of cryptographic algorithms agility.

SY, Dmitry Belyavsky