Re: [Trans] Clarification needed
Eran Messeri <eranm@google.com> Tue, 05 August 2014 21:25 UTC
Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DA611A0332 for <trans@ietfa.amsl.com>; Tue, 5 Aug 2014 14:25:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lo9eEUadgXXe for <trans@ietfa.amsl.com>; Tue, 5 Aug 2014 14:25:26 -0700 (PDT)
Received: from mail-vc0-x229.google.com (mail-vc0-x229.google.com [IPv6:2607:f8b0:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 236611A0316 for <trans@ietf.org>; Tue, 5 Aug 2014 14:25:25 -0700 (PDT)
Received: by mail-vc0-f169.google.com with SMTP id le20so2679263vcb.28 for <trans@ietf.org>; Tue, 05 Aug 2014 14:25:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1nWy/9b3FVIY86nfnsJeu5mGUNplYLE8QI00FAiDy2c=; b=fwfCxmYrb+VcwTu/TyEcRoxq2bipzpze00mN/j3U4mNm14/CVIBLaAp5LttbUFaZlR ptbvvNDYZiBPUtqA9n0Xa/fH2GYKrFZmFu1IO55lnNBRKWRpw0deGTW8AttFMKIQtQrB ptKnvE95FjbQvHEVJKVOHJoQNmFzbNQtRaGeVl6VOOm6oDHGnSbFtWCCn6O/UoM+HYG9 F2zVKjQkLXhykgurIjDGPctey/wi1WHW7vGbJl4ngnRon11DbwXWEa1mrGoG0qlI/ODV Bo48DDTJDc5lIUgXiLPU9VywTBu/2CzGyOMjUbmvYT5NnoBARmCbL1CP8lr7p2BrCy2n G14A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=1nWy/9b3FVIY86nfnsJeu5mGUNplYLE8QI00FAiDy2c=; b=bV4jqIFb2UEMlf+CRq3mByfgVMQ/bfpkPn00yHRDrqBLBVjDosyxQTHrDF4Dm6h8bJ 4jCq6IgWXQAnpDP0Mpj3hXFfgnF2WFY3J/3zsa0giiMmoGDBddNDo4lOSfImIR01ZFNH TBCSAt3FXq7fttIS4uiyM8Jrc43P1mTrwboYaK8qUkxZWfErPlP/o7eRXsXqjbI+dFQY T6b6abH+tY/iU/PO+scdQ7Eq9kiyQyvfFXdxYd8wcEk+MybBSVq6bAYq9wRHv3qwwDf8 VrPCy0wA/W0CyUFmJibiejBx+eyoNKc5+mYaOiF6HCxmHlmdN/0UfE7stbQ7cU4mmrjQ gXuQ==
X-Gm-Message-State: ALoCoQkZxPb9duiDZWE5z+tXCrDZVDWOR78tw4udPRjBjoZ7R7orfv+4jTSqr0A/Z1ChpODB15P9
MIME-Version: 1.0
X-Received: by 10.220.200.71 with SMTP id ev7mr6956259vcb.24.1407273925132; Tue, 05 Aug 2014 14:25:25 -0700 (PDT)
Received: by 10.52.24.82 with HTTP; Tue, 5 Aug 2014 14:25:25 -0700 (PDT)
In-Reply-To: <544B0DD62A64C1448B2DA253C011414607CE9B9971@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
References: <544B0DD62A64C1448B2DA253C011414607CE9B9971@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
Date: Tue, 05 Aug 2014 22:25:25 +0100
Message-ID: <CALzYgEf7pXRPnjhU-+zJKxV2KwWq3W2NjGGDgKr8z9rT+=M+7g@mail.gmail.com>
From: Eran Messeri <eranm@google.com>
To: Rick Andrews <Rick_Andrews@symantec.com>
Content-Type: multipart/alternative; boundary="089e011845ea68f1e104ffe87e88"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/oEgLngmmaRFipfGnJN4lgeMQhQg
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Clarification needed
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 21:25:28 -0000
On Tue, Aug 5, 2014 at 10:10 PM, Rick Andrews <Rick_Andrews@symantec.com> wrote: > In thinking about how log servers should behave, I came up with two > cases that should probably be addressed in the –bis so that all log servers > behave the same way. > > 1) Let’s say I’ve issued a cert and embedded the SCTs in the cert. Now I > (or someone else) send the cert to log servers using the add-chain command. > What happens? Should the log server see if one of the SCTs is from itself, > and if so just return that SCT? Or should it generate a new SCT? > > Rob Stradling helped me understand that the SCTs in the cert would have a > "entry_type" of "precert_entry", so the log server shouldn’t just return > that. Instead, it seems that it should create a new SCT with an > "entry_type" of "x509_entry". But it’s worth clarifying that this new SCT > would contain a hash over the entire cert, including the existing SCTs, > even if one of those embedded SCTs originated from that same log server. > Good point - it's completely valid to send a certificate with embedded SCT from one log as an x509_entry certificate to other logs to obtain additional SCTs. The RFC should be explicit about this situation. > > 2) Finally, is it worth clarifying that while anyone can invoke the > add-chain command, only CAs are expected to invoke the add-pre-chain > command? Should log servers return an error if the pre-cert presented in > the add-pre-chain command does not contain the poison extension? > Yes - and the reference open-source implementation already returns an error if the poison extension is not present: https://github.com/google/certificate-transparency/blob/master/cpp/log/cert.cc#L879 (coincidentally, the open-source implementation will also return an error if the poison extension *is* present in a certificate added by add-chain rather than add-pre-chain). > > Finally, it might be worth clarifying Section 4.2, Add PreCertChain to > Log, where the input is described as “An array of base64-encoded > Precertificates”, which seems to imply that the CA can send multiple > pre-certs and chains in a single command. The rest of the description makes > it clear that the log server expects only one chain, the first cert in the > chain is the pre-cert and the following certs are the (non-pre-cert) certs > in the chain. > > Excellent observation - there's an errata for RFC6962 exactly for this wording: http://www.rfc-editor.org/errata_search.php?rfc=6962 > > > It’s not clear to me if I should create issues in the tracker for these. I > thought I would get some initial feedback first. > I suggest you do - definitely for (1), I've created one <http://trac.tools.ietf.org/wg/trans/trac/ticket/45> for (3)( as the errata should be incorporated into -bis). > > -Rick > > > > > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans > >
- [Trans] Clarification needed Rick Andrews
- Re: [Trans] Clarification needed Eran Messeri