IETF Logo Mail Archive

Re: [Trans] Martin Duke's No Objection on draft-ietf-trans-rfc6962-bis-39: (with COMMENT)

"Salz, Rich" <rsalz@akamai.com> Thu, 29 July 2021 20:30 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7436A3A09FA for <trans@ietfa.amsl.com>; Thu, 29 Jul 2021 13:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.547
X-Spam-Level:
X-Spam-Status: No, score=-2.547 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAgsYad9PUXl for <trans@ietfa.amsl.com>; Thu, 29 Jul 2021 13:30:18 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D32DB3A09F6 for <trans@ietf.org>; Thu, 29 Jul 2021 13:30:13 -0700 (PDT)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16TKE1UB025258; Thu, 29 Jul 2021 21:30:12 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : mime-version; s=jan2016.eng; bh=nVzKYrzo86E1O1Cww2foaX8i8tU83WQTgdjNYVRKJmw=; b=hu/EblkcvMqT0KV5Q7xvzyBS1fBeXirudKZ1jLXIYwg2aq7y1sK3qt1aQExmsogTRgMy GoFmvDU3YClWVI7v+gfEOd/S+QWc/IZzYm+Wd8IT5xh/3oAxU6gvX3dD6FzQMy2Fl3bg ThAnA7+F/vs81GKhru/z41422h7GHyhjmLSe8sW2jd5tqjThaoxEgZ4ISwj9OdifOvRi KZhxJc7IvzCRf71FwDbmA6a9QAiKOJi1LM53qjDHiPkGPpJDL2Uijq3oAbIxLpzBxPQ8 YTkPSg/hS07ZTrg0NQidLXpeftAGcyedjdYxouQiwBEopmc12QbxxTIq7NpWqfoBDjN/ Pg==
Received: from prod-mail-ppoint8 (a72-247-45-34.deploy.static.akamaitechnologies.com [72.247.45.34] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 3a36sc65nr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 29 Jul 2021 21:30:11 +0100
Received: from pps.filterd (prod-mail-ppoint8.akamai.com [127.0.0.1]) by prod-mail-ppoint8.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 16TKKaWL002519; Thu, 29 Jul 2021 16:30:06 -0400
Received: from email.msg.corp.akamai.com ([172.27.165.112]) by prod-mail-ppoint8.akamai.com with ESMTP id 3a36vk8gb5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 29 Jul 2021 16:30:06 -0400
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.165.119) by ustx2ex-dag1mb2.msg.corp.akamai.com (172.27.165.120) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Thu, 29 Jul 2021 15:30:05 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.165.119]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.165.119]) with mapi id 15.00.1497.023; Thu, 29 Jul 2021 15:30:05 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: "trans@ietf.org" <trans@ietf.org>, Martin Duke <martin.h.duke@gmail.com>
Thread-Topic: Martin Duke's No Objection on draft-ietf-trans-rfc6962-bis-39: (with COMMENT)
Thread-Index: AQHXhLiDkuM4I1WJH0S5dktI87Yhrg==
Date: Thu, 29 Jul 2021 20:30:04 +0000
Message-ID: <97FC6C54-5642-4E0B-B6CB-F3231C58D7AF@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.51.21071101
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: multipart/alternative; boundary="_000_97FC6C5456424E0BB6CBF3231C58D7AFakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-29_16:2021-07-29, 2021-07-29 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxlogscore=999 bulkscore=0 malwarescore=0 spamscore=0 adultscore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2107290125
X-Proofpoint-GUID: Xk3Z-yE-dcXRtd_0voLoLR0Z8zlSPuzg
X-Proofpoint-ORIG-GUID: Xk3Z-yE-dcXRtd_0voLoLR0Z8zlSPuzg
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-29_16:2021-07-29, 2021-07-29 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 priorityscore=1501 lowpriorityscore=0 impostorscore=0 bulkscore=0 malwarescore=0 adultscore=0 suspectscore=0 phishscore=0 mlxlogscore=999 clxscore=1015 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2107290125
X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 72.247.45.34) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint8
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/tQI1KeX37P9_I7GQ2oMqQYN-RHk>
Subject: Re: [Trans] Martin Duke's No Objection on draft-ietf-trans-rfc6962-bis-39: (with COMMENT)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 20:30:25 -0000

Sorry for losing the original message and therefore the References, etc., headers.


  *   Thanks for this document; I found it very interesting and enjoyed working
  *   through the Merkle Tree algorithms.

You are a glutton for punishment.


  *   1. I have some concerns about the scalability of this proposal and the Log ID
registry. If I understand correctly, there are at least two reasons an operator
would choose to shut down their log and start a new one, which requires a new
log ID:


  *   - to refresh the signature algorithm and/or key

The signature algorithm is unlikely to change until we have to deal with post-quantum signatures, and that is years away. As for the key being rotated, this is not a short-term WebPKI TLS key, but rather a long-term data signing key. So far none of the logs being used (I hesitate to say “in production”) have had to do either.


  *   - As certificates expire and are renewed over time, the log has to retain an
ever-expanding listing of useless, expired certificates and chains. While the
Merkle tree makes this computationally inexpensive, pruning the storage
requirements would require a refresh.

Perhaps. But again, it hasn’t happened yet, and there are multiple logs that record all of LetsEncrypt output, all the certs currently found on the Web via crawling, and so on.


  *   Which is to say that log IDs should change quite frequently.

As I’ve tried to show above, this seems not to be the case.  Certainly none of the logs currently being used have had to do it. (Yes, some used a different ID when going from “practice” to “deployment,” but that’s a different matter.)


  *   2. Would it be valuable to have a new "certificate revoked" object type in logs
that could provide some assurance that entries hadn't been revoked? I can think
of some ways this might work, but am not familiar enough with the use cases to
say if it'd be valuable.

Revocation in the WebPKI doesn’t work; instead clients do OCSP status checks to see if the certificate is still valid. That is a separate problem from what TRANS is doing, knowing if the certificate was properly issued.

>3. One nit: 4.1.1 and 4.1.2 have broken markdown tags.

Ben Kaduk fixed this.  Tnx.

v2.23.0 | Report a Bug | By Email