IETF Logo Mail Archive

Re: [Trans] overview of remaining(?) DISCUSS items for draft-ietf-trans-rfc6962-bis-33

Rob Stradling <rob@sectigo.com> Wed, 02 October 2019 18:44 UTC

Return-Path: <rob@sectigo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24D791200FA for <trans@ietfa.amsl.com>; Wed, 2 Oct 2019 11:44:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BFm36MkfhdH0 for <trans@ietfa.amsl.com>; Wed, 2 Oct 2019 11:44:35 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0627.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe45::627]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88C4212022E for <trans@ietf.org>; Wed, 2 Oct 2019 11:44:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FYdEqs05LX8aqc12hVe0+LLLQmkRu3Iw5Tf5OO3cNDlxQ1vRQgCRsI59wApQIA5TZWS2jyI8tK6HPewvQpFu05e2AOZoHRRT/TS3kdpcHrg1oNdlE2lVrOcWsCpbg0KXfwWVdv7qnfgnNgHvbgtfONwRfcNzIaIVscX0rmiVtf6YdjBAJ+a0Cs9NnBVb0mCGRRiia+35hB2xWhQtJ84eNvx48+n7VNIA5Nnckew80bJprLAv24LELaEEw2q19GBOMJwU1wfkmpPJEOFid/FtN93rXwQ3E4bph3A1iNYzG8+/NbOZQqxKTfV6ojQFNKkj1Z+VkEb30BFjF0/RCnStlg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ubWJDCWPfHhZisaI2i/rzmgHMQZcL5X+WTnRjD9ijAo=; b=gFopUgHqY9nUPb7V8Ci0eLJ9byYDyOz2bq/mqzaXMV6f8kFoUzcwk9c4Mf9mDXqen3AK1AKOugabLCnCV9EyHL7nEt/4VMldFchDw4UY0q0Pbyp7ZSUU0KQE1QPnB3kMAH63cMJ+/UpvIMd0Hhbl+ScSzQ22Sur79gpv6Wfm4XDAMGTitKEYmD37bfNxG+q900zG8Jj6V6KM+5ZHTpTY+GdZ5rCVkFkrcoigDV29Qbjm/cSS6E/ncFuEVioE9T6LspYtwDSbBgavjxWXASeO5JXmMJOJGLXyM2QSz6rFr1IcOqbPsY5AITGRDrCICReuJhlz42I0xCv1h2W2a9uaBg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sectigo.com; dmarc=pass action=none header.from=sectigo.com; dkim=pass header.d=sectigo.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector2-comodoca-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ubWJDCWPfHhZisaI2i/rzmgHMQZcL5X+WTnRjD9ijAo=; b=AO77rbsLoI7vSKO7IyICmbDyhZBgW/4CtZ8DYDzj0vTvcpLEbdyhZF1yxfqOW25xKafDvnchtLHTmsMH+4Gr+JF/47cVUEZgOxnAlsgwTtnDKc7ADYC8fC2WbilZs7jlWjaU8T6RRMgm8oLmzJ97z7a/zAQIj7sWIM3wrHEYmRY=
Received: from DM6PR17MB3162.namprd17.prod.outlook.com (20.176.124.223) by DM6PR17MB2955.namprd17.prod.outlook.com (20.178.228.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.20; Wed, 2 Oct 2019 18:44:33 +0000
Received: from DM6PR17MB3162.namprd17.prod.outlook.com ([fe80::9c8b:aa25:83b0:6c85]) by DM6PR17MB3162.namprd17.prod.outlook.com ([fe80::9c8b:aa25:83b0:6c85%6]) with mapi id 15.20.2305.017; Wed, 2 Oct 2019 18:44:33 +0000
From: Rob Stradling <rob@sectigo.com>
To: Paul Wouters <paul@nohats.ca>
CC: Andrew Ayer <agwa@andrewayer.name>, Trans <trans@ietf.org>, Alissa Cooper <alissa@cooperw.in>, Eran Messeri <eranm@google.com>
Thread-Topic: [Trans] overview of remaining(?) DISCUSS items for draft-ietf-trans-rfc6962-bis-33
Thread-Index: AQHVblRQ0CWg5MVGO0ywZM7RXIf1a6czBmsAgAApD4CABg+gAIAAkfwAgADwIYCAAF/EgIABJ5cAgABSrgCACyngTw==
Date: Wed, 02 Oct 2019 18:44:33 +0000
Message-ID: <DM6PR17MB31624457FAC84E6D7DC91AE2AA9C0@DM6PR17MB3162.namprd17.prod.outlook.com>
References: <alpine.LRH.2.21.1909181506160.11898@bofh.nohats.ca> <b6ec6a38-a4c2-64b4-0584-d13deead2605@sectigo.com> <alpine.LRH.2.21.1909191211080.29314@bofh.nohats.ca> <4632c221-c207-72c4-83c3-ecc8dcbf2ba7@sectigo.com> <alpine.LRH.2.21.1909231733480.23118@bofh.nohats.ca> <20190924075519.6a9daab1def6475bd26e5370@andrewayer.name> <alpine.LRH.2.21.1909241335180.9491@bofh.nohats.ca> <2fa45a40-c12c-4d85-a0ab-17c83fdd2443@sectigo.com>, <CALzYgEfJkodKf=H-WeE0KNjfcd1csJp3fU8OXLbN0ZjYPyo6yw@mail.gmail.com>
In-Reply-To: <CALzYgEfJkodKf=H-WeE0KNjfcd1csJp3fU8OXLbN0ZjYPyo6yw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-originating-ip: [185.69.144.9]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9860c4e3-c9f4-4f5d-d22b-08d74768917b
x-ms-traffictypediagnostic: DM6PR17MB2955:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM6PR17MB29558507CA12ED83C7A4B596AA9C0@DM6PR17MB2955.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0178184651
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(396003)(136003)(39850400004)(366004)(376002)(199004)(189003)(8936002)(25786009)(91956017)(105004)(76116006)(236005)(54896002)(8676002)(9686003)(102836004)(81156014)(6506007)(478600001)(6306002)(53546011)(446003)(2906002)(606006)(14444005)(64756008)(19627405001)(66946007)(66476007)(66446008)(966005)(66556008)(71190400001)(71200400001)(55016002)(5660300002)(7736002)(76176011)(99286004)(33656002)(54906003)(81166006)(7696005)(6436002)(316002)(486006)(14454004)(6916009)(186003)(86362001)(52536014)(256004)(26005)(6246003)(6116002)(229853002)(3846002)(4326008)(66066001)(74316002)(476003)(11346002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR17MB2955; H:DM6PR17MB3162.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: No5gR3ICTCJ1trvCvc1fU+DthmaTint8U1nqxBaefsPWeX1TSUpNaTlRjUQDGXC7pT1wfjHxUt2VeChc9Gix7JNgh1ehtEOBTO3gfm8CXHJlqjuvqk7flcgC/nwiauU15ML9DhyLaRCglmyQeIu+WyUT+Vorvtxc/O2EczROpbGIktggyJWFQ55uMORlWGU7jIX9UD3/XbG/7RFLoEddwHHGPdfRdUt6YMTHhFluZe8zRUMmSp/ZdYHR46JccrtO5iHsVQqRGU39FQxWveZueb8fUwPfG1zDLRMkPl4EKVWmc+cKWm+/L0XyIzmcd0TZ9qvyPrgNGzIx993U+pBlXP/rx7hHb8QxL0q9fO2ByxiYxi3fxxmMNPYhiuLnHLX3an6F7sdaMmYsS73f1qgvYEnyjgDp4AqhIGzVLbjwx+pD+KEhaC77vHcnG5XUUZ9fu3n+gGZ/yV8FlvoQBlYo7g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR17MB31624457FAC84E6D7DC91AE2AA9C0DM6PR17MB3162namp_"
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9860c4e3-c9f4-4f5d-d22b-08d74768917b
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Oct 2019 18:44:33.7667 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bZT5q9MYG52X/7QfWQrgcByzlErskVF2EFHIQhLxKTYqrDgxjgEONAjzv2gqt+nMNp9iNdntr549+KbOJdvROQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2955
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/sLwPn4jwOs1mct7s2R66XEvBCuw>
Subject: Re: [Trans] overview of remaining(?) DISCUSS items for draft-ietf-trans-rfc6962-bis-33
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Oct 2019 18:44:41 -0000

Paul,

Does https://github.com/google/certificate-transparency-rfcs/pull/314 address your concern?

May I go ahead and merge this PR?

(It's still not clear to me what the 6962-bis authors can or can't do at this point in the editing cycle).

________________________________
From: Eran Messeri <eranm@google.com>
Sent: 25 September 2019 17:11
To: Rob Stradling <rob@sectigo.com>
Cc: Paul Wouters <paul@nohats.ca>; Andrew Ayer <agwa@andrewayer.name>; Trans <trans@ietf.org>; Alissa Cooper <alissa@cooperw.in>
Subject: Re: [Trans] overview of remaining(?) DISCUSS items for draft-ietf-trans-rfc6962-bis-33



On Wed, Sep 25, 2019 at 12:16 PM Rob Stradling <rob@sectigo.com<mailto:rob@sectigo.com>> wrote:
On 24/09/2019 18:38, Paul Wouters wrote:
> On Tue, 24 Sep 2019, Andrew Ayer wrote:
>
>>> While I agree with you, I am just a WG chair. So we need to hear a few
>>> more opinions of people and then if there is a consensus, we can go
>>> ahead and make this change.
>>
>> I'm also not sure what "this change" would be, but I agree with the
>> other comments here that CT shouldn't provide a mechanism for logs to
>> change URL.
>
> I meant the clarification text of Base URL change (verus a potential
> other consensus of text that would allow updating the base url)
>
> I'm not sure what the policy is for declaring a registry append only.
> Maybe leave a comment in for IANA whether or not that needs text?

In -33, section 10.6.1 says:
   "Each application for the allocation of a Log ID MUST be accompanied
    by:
      - the Log's Base URL (see Section 4.1).
      - a Contact (including contact information), from whom further
        information can be obtained.
      - an Owner (including contact information), who is authorized to
        change this Log ID allocation."

I think we should fold "Owner" and "Contact" into just one field named
"Log Operator", and clarify that the only part of a Log ID Registry
entry that can be updated is the log operator's contact information.

Also, given that log operators are permitted to allocate Log IDs from
other OID arcs (see section 4.4), ISTM that we also need to update
section 4.1 to say that a log's Base URL is immutable.

Furthermore, ISTM that it would help to be explicit about the
immutability of each and every log parameter.

Here's a PR that attempts to resolve all of the above:
https://github.com/google/certificate-transparency-rfcs/pull/314
I agree with Rob and Ryan's stance - as demonstrated with 6962 deployment, client agility would address the issue of logs wanting to change their URLs (and I do not recall an occasion where having the ability to change just the log URL would have been helpful).



> Or alternatively, in the text for the Expert Review, mention the
> registry is strictly append-only ?

There is no Expert Review text relating to the Log ID Registry.

--
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

_______________________________________________
Trans mailing list
Trans@ietf.org<mailto:Trans@ietf.org>
https://www.ietf.org/mailman/listinfo/trans

v2.23.0 | Report a Bug | By Email