Re: [Trans] Angle brackets in the PRIVATE option (Ticket #1)

"Doug Beattie" <doug.beattie@globalsign.com> Mon, 31 March 2014 22:05 UTC

Return-Path: <doug.beattie@globalsign.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41DA61A08EB for <trans@ietfa.amsl.com>; Mon, 31 Mar 2014 15:05:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DLhhhqoWq3vI for <trans@ietfa.amsl.com>; Mon, 31 Mar 2014 15:05:04 -0700 (PDT)
Received: from mail-qg0-x233.google.com (mail-qg0-x233.google.com [IPv6:2607:f8b0:400d:c04::233]) by ietfa.amsl.com (Postfix) with ESMTP id 262251A701D for <trans@ietf.org>; Mon, 31 Mar 2014 15:05:04 -0700 (PDT)
Received: by mail-qg0-f51.google.com with SMTP id q108so4548934qgd.24 for <trans@ietf.org>; Mon, 31 Mar 2014 15:05:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalsign.com; s=google; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:thread-index :content-language; bh=I7PfqdmpgR+1wc3FD0z0B3IkLmu1AdGDtmADqZozabc=; b=N7SHvRpOpp0MVTWMHFwF1qKjkQXZHAF6zr9rLyHxkwjifS7CI1I1Wp6MBUrQrZHLsB EdwiCLl7J/TFsjol2QIeWzJnLKVV9npS6gJlurSisPHE8AdCHRSy+6/7Ab1b8QVVeJ8b JDkIdtGezkhT2YL2r5PUCU8HSiX2XT6lWQhdE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :thread-index:content-language; bh=I7PfqdmpgR+1wc3FD0z0B3IkLmu1AdGDtmADqZozabc=; b=JGAUp4ekez3q/NL1/gB+CTXvjzDm6rVH0uOr0ENsypPtWSVjCXa4BLwTmRSfgcie0B 1OdkHQgl8xk7WMo+5RMEAG7h2LN1jh8Z+hdQVJztaVVlWs9bmuwHww2k7Xzr+2Wn4/w9 PAEJyvh+7Fu3eAuIZ+0z4w5dxrsra0a/7IS+BYcmUx7Wbd4LwdSM/dxW0kaJuG0s+Vb1 NwkhEmNuU5cdJs5tWrfJ0V5rSK2QskhjdMx1vtHpiPPTSr6E4rOo7oWBccYkMdyBbL/A kwtrpTSBi5JjWwJOJUFUJ81cJMH4qBGsFU8JUMP3dW7mH+jhIn4mJylqe3Gcq/NhZzT4 KAPg==
X-Gm-Message-State: ALoCoQnH5p7F7tEpoLabe8lSsULIiPVfE+NGr9USPAWKwC+o+IrmrPRg3GG+Jya0/HdVIMh0LBgi
X-Received: by 10.140.88.85 with SMTP id s79mr10824684qgd.70.1396303500603; Mon, 31 Mar 2014 15:05:00 -0700 (PDT)
Received: from 42G8TY1 (pool-108-49-225-12.bstnma.fios.verizon.net. [108.49.225.12]) by mx.google.com with ESMTPSA id b4sm30835867qaw.26.2014.03.31.15.04.59 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 31 Mar 2014 15:04:59 -0700 (PDT)
From: Doug Beattie <doug.beattie@globalsign.com>
To: 'Peter Bowen' <pzbowen@gmail.com>, 'Rob Stradling' <rob.stradling@comodo.com>
References: <544B0DD62A64C1448B2DA253C011414607C85F3902@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAK6vND-NToUO3FgC-Tp-nykj-LYpDQE0AewJeF5oUHow6XSLSQ@mail.gmail.com> <53393F1F.6080005@comodo.com> <CAK6vND88x3PFM1Ay9ebwRBCabJMrjLH=c7xMtKWBJhOuwMJ-pw@mail.gmail.com> <5339752C.7020808@comodo.com> <CAK6vND_Dk9+eEg7EPBuN=x2TO5Ss1RmcY+i6x1BbZvHUpAvBWw@mail.gmail.com>
In-Reply-To: <CAK6vND_Dk9+eEg7EPBuN=x2TO5Ss1RmcY+i6x1BbZvHUpAvBWw@mail.gmail.com>
Date: Mon, 31 Mar 2014 18:04:57 -0400
Message-ID: <063901cf4d2d$41c859b0$c5590d10$@globalsign.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQFYXx6NWUytiHdvSaGjSCMH87BNrgITO4qdAakeWbsCGoj4dgGHg4giAtqwYwCbl9DkoA==
Content-Language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/oZKkGvnbbEh8c1FVWAtPHAzU0x4
Cc: trans@ietf.org, 'Rick Andrews' <Rick_Andrews@symantec.com>
Subject: Re: [Trans] Angle brackets in the PRIVATE option (Ticket #1)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Mar 2014 22:05:06 -0000

I agree with Peter on this one, why are we making a long human readable
string for a cert that basically no-body will ever look at and will be used
only by the browser to validate the SCT (and the CA to create the SCT
extension)?  When the browser tries to validate an SSL certificate they need
an indication that the SCTs were computed normally or via the Private
algorithm. Aren't all the SANs either private or not in a cert, and not a
mix?  (sorry if this is in a spec or an email that I missed).

It seems like the indicator to the browser should be at the SCT extension
level, not on every SAN entry (there could be hundreds), so we could omit
any indication of private at the per-san level.  If it needs to be at the
SAN level (for some reason), then put in a valid PrintableString character
(maybe 2) we'd never expect to see in the wild.

I'm sure I'm missing a key point.

Doug

-----Original Message-----
From: Trans [mailto:trans-bounces@ietf.org] On Behalf Of Peter Bowen
Sent: Monday, March 31, 2014 10:57 AM
To: Rob Stradling
Cc: trans@ietf.org; Rick Andrews
Subject: Re: [Trans] Angle brackets in the PRIVATE option (Ticket #1)

On Mon, Mar 31, 2014 at 7:01 AM, Rob Stradling <rob.stradling@comodo.com>
wrote:
> On 31/03/14 14:44, Peter Bowen wrote:
>> If _completely_hidden_ is the requirement, then I agree that any 
>> option that is no f(x) = 1 (for fixed values of 1) fails.
>>
>> Why have the long string "(PRIVATE)" at all then?  Would a single '?'
>> not be adequate?  I don't think you will ever find '?' in a real 
>> dNSName.
>
>
> "PRIVATE" seemed a good choice of string literal from the point of 
> view of explaining the idea clearly, but I'm not bothered what string 
> literal we end up using.
>
> Why does the length of the string literal concern you?

I guess it does not really matter.  I was thinking about the future, when CT
is used for the CDN certificates with hundreds of SANs.
Moving "www" -> "(PRIVATE)" for 200 names increases the size 1200 bytes.
Maybe additional size is not a big deal.

Thanks,
Peter

_______________________________________________
Trans mailing list
Trans@ietf.org
https://www.ietf.org/mailman/listinfo/trans