Re: [Trans] draft-ietf-trans-rfc6962-bis-31
Eran Messeri <eranm@google.com> Thu, 20 June 2019 10:10 UTC
Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 984481201E4 for <trans@ietfa.amsl.com>; Thu, 20 Jun 2019 03:10:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.509
X-Spam-Level:
X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOLkMFCXK71H for <trans@ietfa.amsl.com>; Thu, 20 Jun 2019 03:10:00 -0700 (PDT)
Received: from mail-yw1-xc2f.google.com (mail-yw1-xc2f.google.com [IPv6:2607:f8b0:4864:20::c2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B37E512003F for <trans@ietf.org>; Thu, 20 Jun 2019 03:10:00 -0700 (PDT)
Received: by mail-yw1-xc2f.google.com with SMTP id l79so920364ywe.11 for <trans@ietf.org>; Thu, 20 Jun 2019 03:10:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=93koxKBO7uppo/DGhoG5Qefyy9sXZCrZKxSsVlcGi10=; b=aqnwxt/Fk9OkSU0wqfJeqTMJmZdkqFWmc4ue2vdAuxXY2aaFqAycnAmtQc8hcQKjnP WvVpFG8vqwRJ2je7ciqNcMWwXWnihsTITShv4uKuRJ7z7EBcxRR4fPOw6qbmbHr8zkbZ 7AWJJ6Mzon5Sdbo9qvD/9idBjWvoMOcoCnuvoeHog5JjByjHdet6ZZptCAGm+SwZh9T7 E3SxTy01DbzaSAUpg7uOJhiKK3wBOUtlE/oJkAEb2FEXXWXoV+ur7jGZrieLGlqvXFxu HGmBTcSuFBb5VsDb1qE9DM5vZpCtb5a5PbSrxF83T+37/vOYSqFjNLJIoZSKihDThE4W plsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=93koxKBO7uppo/DGhoG5Qefyy9sXZCrZKxSsVlcGi10=; b=Mwr0sVQwKbgLgPUZ1f9lkyMzDtFE5w4vVDn5qN7sen31chRq5Y2mOWGYghAWfXkn8G WiRoJrBNF8WrLkx/wQsYcvZDx+qdrw65XVnmC3belOS3UiumQ8EX61C7zK86/ar3y+Tk Qv1bXFlee1myMEnwrc9HStgIPX2HNK2FK7hyKa2GsDweEUZqiDIQCSZqlMPAhmCKzQKb 45SH9XBcKuRBSTmN4D1l8irtZoXRvsLcwoaFP+qW+MPgeLLtntr8Mxf9hPq8W5XONu0S rAXrf47qXCoPbTatwVV9NWJl2UC5kRzkqWp5dLRL6lG9PEEapDTVOBR1JXbupkd21Qmj FnLA==
X-Gm-Message-State: APjAAAWHwNtE9Kt1gj2u6si0KVjrHzLEpqc46FB4xs4TiNgP7pFFc17X IFRw1CoL/v7u8tGGRZqklOv3mmXjVoiy/X1e1BGWRQ==
X-Google-Smtp-Source: APXvYqz76Ci3DglGf2vYOnfzRhzNkruApPmTuO33BA55A0Li4sIREV0toGKl9/12ykGEXl9TagB5uv7Rj+YCfRNsMkk=
X-Received: by 2002:a81:35c9:: with SMTP id c192mr64990285ywa.193.1561025399602; Thu, 20 Jun 2019 03:09:59 -0700 (PDT)
MIME-Version: 1.0
References: <MWHPR21MB0846D2C92633AE28A7B012EAA7E50@MWHPR21MB0846.namprd21.prod.outlook.com> <alpine.LRH.2.21.1906191936520.28894@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1906191936520.28894@bofh.nohats.ca>
From: Eran Messeri <eranm@google.com>
Date: Thu, 20 Jun 2019 11:09:33 +0100
Message-ID: <CALzYgEefnThirThr=LwvD-T=L_b1nmNSGG90kxffwb9rc8ry=g@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Rashmi Jha <rashmij=40microsoft.com@dmarc.ietf.org>, "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006e1589058bbe8c81"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/sUIJ6x6iB9cCesjVMTxVxVKvJLY>
Subject: Re: [Trans] draft-ietf-trans-rfc6962-bis-31
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2019 10:10:03 -0000
Paul made the point quite accurately - CT is orthogonal to name-constraining a CA, and can be used to validate the CA has adhered to the constrained names. Additionally, there's no way to signal to a user agent that such a CA would be "exempt" from CT (some user agents have Enterprise controls to allow instances managed by the organization to not require CT for certain domains, though). On Thu, Jun 20, 2019 at 12:44 AM Paul Wouters <paul@nohats.ca> wrote: > On Wed, 19 Jun 2019, Rashmi Jha wrote: > > > Have you looked into the options of not requiring CT for CAs which are > constrained to a brief list of domains ? I understand this was considered > in the past but couldn’t find details why this was not > > accepted. > > Whether or not to require CT is not part of the document. This seems > more like a question to browser vendors. The draft only states: > > > In addition, if TLS clients will not accept unlogged certificates, > then site owners will have a greater incentive to submit certificates > to logs, possibly with the assistance of their CA, increasing the > overall transparency of the system. > > The "if" there is important. It is not a decision made in this document > or this Working Group. > > The draft only lists the requirements and formats for when CT is used. > > > Named constraint by default provide the assurance as to what domains > they will issue. CT becomes an additional network call in in issuance of > certificate which can be prevented. > > Not "assurance", but "expectation". CT is there to confirm this > expectation. Surely, you want CT logs to show captured certificates that > were signed by a CA outside of that CA's own Named constraint policy? > > Additionally, if you skip accepting certificates within a named > constraint, what do you do when some CA claims ".com" as their > named constraint? > > Paul > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans >
- [Trans] draft-ietf-trans-rfc6962-bis-31 Rashmi Jha
- Re: [Trans] draft-ietf-trans-rfc6962-bis-31 Paul Wouters
- Re: [Trans] draft-ietf-trans-rfc6962-bis-31 Eran Messeri
- Re: [Trans] draft-ietf-trans-rfc6962-bis-31 Rashmi Jha
- Re: [Trans] draft-ietf-trans-rfc6962-bis-31 Watson Ladd
- Re: [Trans] draft-ietf-trans-rfc6962-bis-31 Rashmi Jha
- Re: [Trans] draft-ietf-trans-rfc6962-bis-31 Paul Wouters
- Re: [Trans] draft-ietf-trans-rfc6962-bis-31 Paul Wouters