Re: [Trans] DNSSEC also needs CT

Joseph Bonneau <jbonneau@gmail.com> Tue, 13 May 2014 05:23 UTC

Return-Path: <jbonneau@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 513AD1A083F for <trans@ietfa.amsl.com>; Mon, 12 May 2014 22:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oKuKGOaijJxZ for <trans@ietfa.amsl.com>; Mon, 12 May 2014 22:23:14 -0700 (PDT)
Received: from mail-vc0-x230.google.com (mail-vc0-x230.google.com [IPv6:2607:f8b0:400c:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id D86951A03F0 for <trans@ietf.org>; Mon, 12 May 2014 22:23:13 -0700 (PDT)
Received: by mail-vc0-f176.google.com with SMTP id lg15so10088010vcb.35 for <trans@ietf.org>; Mon, 12 May 2014 22:23:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=xOObAaoTQv0Fb0FtRzezITTdCCSa7vb37/J8+1XvspQ=; b=oTkadybAzlKapnixGS8GGmHWWTjTH2w0KhYvLqHmcwTU7YtQl8JZpwV6QLQ91G/qCL crC11fNnwKTMxmCuGYrmsgRFQ6kR/sHR7WmRz4Ccpl7sAPZfoooPKqDvdHUI0SfErMnN MrqGIW59zjexiSxjqDKBBTT4Hop++0YiP6j2i+PfZ8fgZcAmmSgGldODmWnEtXJtGdDy Ls9q5ai7+R3L4R+LE6B4ffw3lzKdwr6CnKHuTPZ0jsDmwvUjOxpIJLJEp5As5ujGUMXK Mx5WufG9TSy2mMxjWQAx5iZWtJrGCnccE4Awsi+AcOi2454WLhD+w58mNjUPc9C5A5pn Y7bw==
X-Received: by 10.220.159.4 with SMTP id h4mr27442359vcx.1.1399958587517; Mon, 12 May 2014 22:23:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.86.136 with HTTP; Mon, 12 May 2014 22:22:47 -0700 (PDT)
In-Reply-To: <CAK3OfOhdhWdGvvhuaGyE_p5kLy0ZX-V5sAXfoLGP_8d8vPJDgg@mail.gmail.com>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <CAMm+Lwieij8Tm8V-gpE0eAfwie1dgtFL_Ga8dPkJFKJKLQDAcA@mail.gmail.com> <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com> <CAHw9_iKpN7AXfrH6SzroMukrKTPR5z24U9KfWpVW-F2R_wX3ag@mail.gmail.com> <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca> <CABrd9ST7K-7RGwGD2G+kDcVSceC2ZJ-5Tz2tdp5NWa3cqBK+-w@mail.gmail.com> <CAOe4Ui=nqmCfjBYNE2CJtEs1jnbavpY4Dv-T3FRDdAwAA2dScg@mail.gmail.com> <CAK3OfOiYMJkXVR+QsCzEV0ir6u53coJz0b-JdGGD5bTTz5YcMg@mail.gmail.com> <CAOe4Ui=u0fkm9_nuXx_6gpH6jHM5pBvzjzru9O8y3bpLkA0qmw@mail.gmail.com> <CAK3OfOi6y=QAMXe_2axiavxwR5nS2Uv8SM4JxQHsvEKbUyNGCA@mail.gmail.com> <CAOe4Uimvc6e6u=fJjM1-iaOTepA33Sx5CBjMV9dB8sSLqtZoWA@mail.gmail.com> <CAK3OfOhdhWdGvvhuaGyE_p5kLy0ZX-V5sAXfoLGP_8d8vPJDgg@mail.gmail.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Tue, 13 May 2014 01:22:47 -0400
Message-ID: <CAOe4Uik+fjM4wTVBiFxphVZAwVYBPgd1a9xUyUBMSFy30SWNLg@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary=001a11c2ca0c4f2f4c04f941428a
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/qp6e0WIiHTzpRH21BYCFFDqiVL0
Cc: Warren Kumari <warren@kumari.net>, "trans@ietf.org" <trans@ietf.org>, Paul Wouters <paul@nohats.ca>, Ben Laurie <benl@google.com>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 05:23:15 -0000

>
> Is CT intended to be run all the way from the root to the CAs furthest
>  from the root?  I didn't think it was, and if it is, please tell me.
>

Yes, it is. The goal of CT is that browsers will eventually reject any
end-entity TLS certificate that doesn't have an SCT. I believe this is true
regardless of the number of intermediate CAs in the cert's path to a
trusted root. There's an exception for trust anchors manually added to the
browser to accommodate private CAs, but essentially all certificates that
standard browsers will accept out of the box must be logged.

By contrast with DNSSEC you seem to be suggesting that many DNSSEC records
that browsers/resolvers will accept as genuine will not be logged anywhere
(or be logged somewhere that isn't necessarily audited) and the browser
will still accept them.