Re: [Trans] Where do things stand with the precertificate format discussion?

Brian Smith <brian@briansmith.org> Wed, 17 September 2014 22:35 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2567E1A0AF6 for <trans@ietfa.amsl.com>; Wed, 17 Sep 2014 15:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ec61JrnbAl2S for <trans@ietfa.amsl.com>; Wed, 17 Sep 2014 15:35:08 -0700 (PDT)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C6AC1A0B0B for <trans@ietf.org>; Wed, 17 Sep 2014 15:35:08 -0700 (PDT)
Received: by mail-qa0-f51.google.com with SMTP id i13so30981qae.38 for <trans@ietf.org>; Wed, 17 Sep 2014 15:35:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=JuvwQGn3siG69dZBEUZ4OjQhJ3MSt1d4TpOm5xSuJHg=; b=hA9J4qq1neiZg0gIvLjkxAOBjSPgaH/mbPAW8EySCLo8TFDdnLHSL03WWcTvAePA1M AnLVQTlss0T80SScSHIlHmXII47OSQwvzeJ54LDnzYI/YH0jbYAv6+OxbLaG58V+g45Z fO7YNK/n2x8E+S81q7fkfQmrdnhqRF/Huz3SfLGClw5UNJpIzvWEmKhzITbpQi2D24ML p4kDhjvRpCZnqgg/aNAkRZt9D1UDbxS8WglbBA6W0VOMKkWLepa6KbxFu8PFiSEcShBn bFAwV3FfsTO6euuky7aCP/wAei/BP3nZ6QdAXMSKSscMhVmSXtWlL6fd/q9O1VOT/V9t 1AYw==
X-Gm-Message-State: ALoCoQkgT7Vf1c4kOwxrT/p7jlZZndSaQKzTy8mLyTJQ2Kx+MGd5LzeoiGYU3WjVgLV8Pl36QLbx
MIME-Version: 1.0
X-Received: by 10.224.130.138 with SMTP id t10mr1025006qas.2.1410993307281; Wed, 17 Sep 2014 15:35:07 -0700 (PDT)
Received: by 10.224.67.133 with HTTP; Wed, 17 Sep 2014 15:35:07 -0700 (PDT)
In-Reply-To: <541A010E.8050402@gmail.com>
References: <541A010E.8050402@gmail.com>
Date: Wed, 17 Sep 2014 15:35:07 -0700
Message-ID: <CAFewVt5P+8opZR13+EbrmTeDBfnwSu0B-5sU4gArsDuN361Jmw@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Melinda Shore <melinda.shore@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/oJ1W0Lmp3__FotdhXVdkkYoMUqI
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Where do things stand with the precertificate format discussion?
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Sep 2014 22:35:10 -0000

On Wed, Sep 17, 2014 at 2:45 PM, Melinda Shore <melinda.shore@gmail.com> wrote:
> There've been a couple of proposals for alternative representation,
> including TBS (alternatively, the CertTemplate format from 4211) and
> CRMF, and there seems to be some agreement congealing around Erwann's
> summary:
>
>>IIUC, what you propose is that the PreCert is a CMS (RFC5652) with a
>>signedData content-type, for which the data is the TBSCertificate
>>(name-redacted or not, no necessary poison extension). The SignerInfo
>>refers to the PreCert issuer (CA or dedicated issuer, same as now).

CMS is not a good format for the PreCert, because CMS is highly
complicated and unnecessarily complex for this purpose. And, in
particular, CMS is specified as a BER-encoded format, not a
DER-encoded format, and it isn't reasonable to require implementations
to support a BER-encoded format for CT when all other things they
process are DER-encoded. In particular, some implementations may have
specialized DER decoders that cannot be practically adapted to deal
with BER.

I previously suggested an alternative syntax that would be much easier
to implement:
http://www.ietf.org/mail-archive/web/trans/current/msg00500.html

> Related, there's a proposal on the table to walk through cert data and
> justify SCT contents.

There is a proposal for that, but I don't think it has much support. I
myself do not think that would be a useful thing to do.

Cheers,
Brian