Re: [Trans] Precertificate format

Brian Smith <brian@briansmith.org> Tue, 09 September 2014 20:23 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65BA21A0190 for <trans@ietfa.amsl.com>; Tue, 9 Sep 2014 13:23:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LEqdJRXMKtXn for <trans@ietfa.amsl.com>; Tue, 9 Sep 2014 13:23:28 -0700 (PDT)
Received: from mail-qc0-f173.google.com (mail-qc0-f173.google.com [209.85.216.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DACE1A0185 for <trans@ietf.org>; Tue, 9 Sep 2014 13:23:28 -0700 (PDT)
Received: by mail-qc0-f173.google.com with SMTP id w7so18000474qcr.4 for <trans@ietf.org>; Tue, 09 Sep 2014 13:23:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=eViRrn50iHre4NJo1JWTqVb6hsg/UDCf+ALPNjzvMLg=; b=kgxSiXPXBbo4ptmRvbi6P87VObD849l44gO0uYPfzWPVa7WZnmW7f088iGYNkTE9u7 BHcXpvtbzT5Uhvluipb+UOZyyIj22qAj+/I3J3EWwqK4LkkPqv5z+BVXbcj31jHdl5oS 0GNbX1TJITlBw2KTYkeIPXY2C3A9M6wtN+2p8YlCf0C53d9otK7o3L+InRzsAd/9loaN e5B+MQOT4IXT0Tm54tfR9V7RBKjaK4T4Zcdi2Gdzh3/H4vPKGFY8GMeI4kFSTsVIQ4bo +tld7d+Fa3klC3EPT24abwZdXBvpksLinEp5DoRiHSLlmIAlSXyNEmmJGqkTkd/JejAc DSsw==
X-Gm-Message-State: ALoCoQnLGIjnKaxTR3VSU5Upph0befb30b1O4eoWqrpI+yEREpzn62YjYpXgDeLe/XR+z2Wia3t3
MIME-Version: 1.0
X-Received: by 10.229.68.131 with SMTP id v3mr54372905qci.10.1410294207305; Tue, 09 Sep 2014 13:23:27 -0700 (PDT)
Received: by 10.224.67.133 with HTTP; Tue, 9 Sep 2014 13:23:27 -0700 (PDT)
In-Reply-To: <540F3939.4070302@bbn.com>
References: <540DFA75.2040000@gmail.com> <540E0E90.1070208@bbn.com> <CAFewVt5kZqw0-W7PqtFHe7yJUsR9PqVJ6C74ZShgo0qs19wLjA@mail.gmail.com> <540F3939.4070302@bbn.com>
Date: Tue, 9 Sep 2014 13:23:27 -0700
Message-ID: <CAFewVt5MRb5gVyK3daTHN=JyXq1WG_PEBn4u0YacJJk9ffN7mg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/pGlveip5wG1_MvPr6Z_Iva68XUQ
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Precertificate format
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 20:23:32 -0000

On Tue, Sep 9, 2014 at 10:30 AM, Stephen Kent <kent@bbn.com> wrote:
> Brian,
>
> Can you re-state your proposal. I'm confused, in part because one does
> not sign anything using a cert; one verifies a signed thing using a public
> key from a cert.

Rick and Carl did a good job of explaining why my line of reasoning
didn't make sense in the first place, regardless of my poor choice of
terminology.

By the way, in draft -04 there are similar abuses of terminology that
should be cleaned up. Here's one example, "The resulting
TBSCertificate [RFC5280] is then signed with either [...] a
special-purpose [...] Precertificate Signing Certificate [...] or, the
CA certificate that will sign the final certificate." There are
probably more.

Also, it might be worth mentioning in the draft that it doesn't make
sense to use a Precertificate Signing Certificate if it has the same
public key as the issuing certificate.

Cheers,
Brian