IETF Logo Mail Archive

Re: [Trans] Precertificates and revocation

Rob Stradling <rob@sectigo.com> Thu, 26 September 2019 16:40 UTC

Return-Path: <rob@sectigo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6E3F120A77 for <trans@ietfa.amsl.com>; Thu, 26 Sep 2019 09:40:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltmEubsag8B4 for <trans@ietfa.amsl.com>; Thu, 26 Sep 2019 09:40:05 -0700 (PDT)
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (mail-eopbgr690089.outbound.protection.outlook.com [40.107.69.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBB80120853 for <trans@ietf.org>; Thu, 26 Sep 2019 09:40:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FaJYxXafihIuwj5BNrlQch+LGOaiDGL6yVZVYOk1PTwZrh/LLdXYYtzqykaaypuyluNoiZ4+rlUZIaGwi1Hq/zpgqqglpF04FlkoqSw/JAUdICo9naymsiB1Ez1Ge2I+IpV0lYuXQwux4fCJhTug/EfBtxTy10sCDa6j8RUPupjjeW4weZfMCqgWBkziMJTQwMLPxZ5bdHPd9PsDrTYm7YdRsnK0hhhUKVixpBGXcBBsMFDLIl81q2eaZoGa9+HURVFhHUMWeZqNIWI+l/fLIezQpDb2yK2KGK1zjOJV62RlM1RTT59/wNfmzdkS2lvosyVJWr3bE9sxCwCspT8g9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e3ej8lWxfaej2XxcE3M4cpNPAFLtZ6zL3p0A9hX8I+0=; b=ePJJpds17iCz7zBhZbf24rCiMiaJNBqbvhECkTNEyfdGdqLE9kEl777oRC2qqROQswCxRMUNKCPIJAMT1WAG8Us6ZGRc31fur/E0nA6dss6P0PCtP/ZQQ2sVSBi3FyfwIf7lVdVd0l56kSiIDSEKcDGf2VfBNeowilE4bIU8qKvxLNBCmd7TSiVPmhba4Oz5aaLw7gevR3WZbqrwZ1nTbzuPNpDYGOOGD2KdKYzHS502nkwcrJIYnu035t30fQ/i+fuflioT6sjwV7FmH4VosLpSO/ESLe/WLaX3iGMCA4/SZfVQucSh69gafJCAU6qt9UD2qngDrqhPo0t9T/vMGA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sectigo.com; dmarc=pass action=none header.from=sectigo.com; dkim=pass header.d=sectigo.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector2-comodoca-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e3ej8lWxfaej2XxcE3M4cpNPAFLtZ6zL3p0A9hX8I+0=; b=R+JNKNEE6EMEVoVSVzWxp+C0qcXZCTQTfCpJR9KICLlOrHDgUfF2+9SvYyNMx7wwiIL0/GOV01vq94tDE4PM0HZtwZOnfWr41aFO9cdvXgfULKoBYdB1rPTcn3iyyEH8bkVYEii3DXa3gra+fyD0DruxfuU8DXpKjjAii4k9MbA=
Received: from DM6PR17MB3162.namprd17.prod.outlook.com (20.176.124.223) by DM6PR17MB2956.namprd17.prod.outlook.com (20.178.228.87) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.16; Thu, 26 Sep 2019 16:40:03 +0000
Received: from DM6PR17MB3162.namprd17.prod.outlook.com ([fe80::dc78:38ff:9fc6:58cf]) by DM6PR17MB3162.namprd17.prod.outlook.com ([fe80::dc78:38ff:9fc6:58cf%3]) with mapi id 15.20.2284.023; Thu, 26 Sep 2019 16:40:03 +0000
From: Rob Stradling <rob@sectigo.com>
To: Eran Messeri <eranm@google.com>
CC: Ryan Sleevi <ryan-ietf@sleevi.com>, "trans@ietf.org" <trans@ietf.org>
Thread-Topic: [Trans] Precertificates and revocation
Thread-Index: AQHVb7qjeJ8k5jrm8UOJQ5rvAEBgSKc0vfSAgARklACAA4LeAIABh9we
Date: Thu, 26 Sep 2019 16:40:03 +0000
Message-ID: <DM6PR17MB3162ED32E10F53952FD61FA2AA860@DM6PR17MB3162.namprd17.prod.outlook.com>
References: <20190916100800.5b62d43c0f28e30269f41b7a@andrewayer.name> <21a9ea1e-124b-3bf2-72f5-4dc755d4061b@sectigo.com> <CAErg=HHcG8p_6NAzKyDYg+gPpF6p7F688pSD+qD+shcFdr9vRA@mail.gmail.com> <39d0ea14-36ca-b311-91df-074c1346f8c3@sectigo.com>, <CALzYgEciP=y401SWQhsCc71tbFVVFZ0W5S929QStXqJ1EQfFog@mail.gmail.com>
In-Reply-To: <CALzYgEciP=y401SWQhsCc71tbFVVFZ0W5S929QStXqJ1EQfFog@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-originating-ip: [85.255.236.72]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 35b7bca3-6ff1-4d43-c0bf-08d742a02e73
x-ms-traffictypediagnostic: DM6PR17MB2956:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM6PR17MB29561206379733872FA60DD4AA860@DM6PR17MB2956.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0172F0EF77
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(346002)(396003)(136003)(39860400002)(189003)(199004)(40224003)(54906003)(229853002)(14454004)(6246003)(2906002)(9686003)(81156014)(236005)(19627405001)(33656002)(8936002)(6436002)(55016002)(6916009)(25786009)(71200400001)(478600001)(316002)(66574012)(6306002)(7736002)(54896002)(81166006)(8676002)(102836004)(71190400001)(64756008)(66476007)(66556008)(91956017)(76116006)(53546011)(86362001)(74316002)(6506007)(66946007)(11346002)(52536014)(966005)(66066001)(446003)(26005)(476003)(186003)(3846002)(66446008)(5660300002)(486006)(6116002)(606006)(14444005)(256004)(99286004)(4326008)(76176011)(7696005)(105004); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR17MB2956; H:DM6PR17MB3162.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: l3KTLLpCC1/jDj8pU3w++bU+Xg3Ycdtels+W8wyrVCD/GTHjHcoSxPoe7YEeQufv0gx5iYq3NvlHAaxK4l1FU113FPoVPHHPW5QBcsKBQRXEiuJwJAnm9Ao260ezpctKnLvYz9R4Kl5tGcJncyIsYqUSo6yFwwHc/F73/RAuk6kqF+HshxrSbAAqj0logJK37enYpAdUcXB5EFELH16nJcv6tjdMzECwxMeTlw6YiphCLxXQvHgo3xh78aFwCmS/R3jbyw08hW5vETiirPis3TfHleCHxRYdExC23KtrK+uTNkSmNmOBSrJKcTYJp046yjZtXQOJic8r39kZVd4PFmekTIfrG+L9mLXErLYJ+ImCdCi1ay8YJ6b3MnrxesSetQYFDTJl1hOoYeZ2d4tDIEZ5BYxuLMpY/iVqQxD4LEVd7HtwJ3FYRzuRS74VLZ0fV/Ht45E033H/eokMxE+XMA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR17MB3162ED32E10F53952FD61FA2AA860DM6PR17MB3162namp_"
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 35b7bca3-6ff1-4d43-c0bf-08d742a02e73
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Sep 2019 16:40:03.6163 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2kfAqqjglX8d/NPw8FvlAnP3eg+IhTvzR6rF1+/S3frdrPGq9kIPycG/v7WoFnXOODYz3mqUwotZMPQsm6CxpQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2956
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/tW8pNROKMIo02U6yJYG8q-jjw_A>
Subject: Re: [Trans] Precertificates and revocation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2019 16:40:10 -0000

Hi Eran.  OCSP (RFC6960, RFC5019) responses and CRLs (RFC5280) provide status information for certificates (RFC5280).  In CTv1 (RFC6962), precertificates are certificates; whereas in CTv2 (6962-bis), precertificates are (by design!) not certificates.

The "effective MUST NOT" is because anything that is not a certificate (be it a CTv2 precertificate, a cat GIF, or whatever) is not in scope for OCSP, as currently specified.

The fact that a CTv2 precertificate has a serial number that is intended to subsequently belong to a certificate makes it possible to imagine extending the OCSP protocol to report statuses of CTv2 precertificates.  But until the OCSP protocol is extended in this way, the fact is that...the OCSP protocol has not yet been extended in this way.

I think 6962-bis should extend the OCSP protocol in this way.  If it can be avoided, I don't think it should be left to CT client policies to extend IETF protocols.

________________________________
From: Eran Messeri <eranm@google.com>
Sent: 25 September 2019 17:58
To: Rob Stradling <rob@sectigo.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>; trans@ietf.org <trans@ietf.org>
Subject: Re: [Trans] Precertificates and revocation

Rob, what leads you to say that "6962-bis has an effective MUST NOT" regarding the CA not having to provide status information for a 6962-bis precertificate?

I agree it'd be helpful to add a clarification in 6962-bis regarding CAs possibly being asked about revocation status of a not-yet-issued certificate. I just want to understand where 6962-bis prevents CAs from publishing revocation info for 6962-bis precerts.

On Mon, Sep 23, 2019 at 12:21 PM Rob Stradling <rob@sectigo.com<mailto:rob@sectigo.com>> wrote:
If 6962-bis says nothing about this topic, then ISTM that the default
effective requirement will be that a CA MUST NOT provide OCSP status for
a (CT v2) precertificate where the corresponding certificate has not
(yet) been issued.  This is because, whichever way you look at it, a CT
v2 precertificate is not a "certificate" according to
RFC5280/RFC6960/RFC5019.

I agree that a statement such as "CAs MUST provide OCSP status for CT v2
precertificates" would not belong in 6962-bis, but would instead belong
in a TLS client policy document.  However, I would prefer to avoid the
situation where 6962-bis has an effective MUST NOT but where (some, but
not necessarily all) TLS client policies have a MUST.  In order to avoid
such a conflict, I think it would be helpful for 6962-bis to outline the
policy space by making the following points:

1. Since issuance of a precertificate `P` is a binding commitment to
issue a corresponding certificate `C`, monitors may reasonably assume
that `C` has been issued.
2. It follows that monitors may wish to request status information
(e.g., via CRL and/or OCSP) for the serial number of `P`, even though
(unbeknownst to the monitor) `C` has not actually been issued.
3. Although `P` is not a "certificate" according to
RFC5280/RFC6960/RFC5019, some TLS clients may have policies that require
CAs to provide certificate status (e.g., signed OCSP responses and/or
CRLs) for the serial number of `P`, regardless of whether or not `C` has
been issued.

Making these points would transform 6962-bis's effective requirement
from a MUST NOT into a MAY.  A TLS client policy could then profile that
to a MUST without introducing any conflict.

ISTM that this approach of outlining the policy space but not setting
policy would be consistent with, for example,
https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-33#section-6.1.

On 20/09/2019 17:16, Ryan Sleevi wrote:
> As I mentioned elsewhere, I'm not sure this is an entirely useful or
> productive concern to be raising at this time. I have also shared that I
> think this is a question of policy than protocol, even though the policy
> decision has implications on other protocols. Thus I think it's much
> more appropriately discussed among individual implementations.
>
> As a protocol for allowing both the pre-disclosure of a certificate and
> post-disclosure of a certificate. We saw, rather extensively in the
> Threat Model document, different perspectives on policies regarding how
> pre-disclosure should be treated and handled. For example, using the
> protocol in 6962 or -bis, it's possible to use CT as a means of
> detecting and correcting certificates prior to issuance (the discussion
> about Logs applying rules to certificates). Similarly, it's possible for
> CT as a protocol to be used entirely internal to an organization, as
> part of audit logging for external audits via a common protocol, even
> with the inclusion of data that might otherwise be inappropriate for
> publicly-exposed logs.
>
> So I do think that, from the point of view of the RFCs, it's a matter of
> policy as to how the existence of a pre-certificate is treated, which
> aligns with the particular intended deployment of the CT protocol. If a
> policy (e.g. by a browser, for the Web PKI) treats the issuance of a
> pre-certificate as an unrebuttable proof of an equivalent certificate,
> which is certainly one of the core things CT enables policy to state,
> then it naturally follows that it must be treated as such within
> protocols that are keyed on the issuance of certificates.
>
> It's an operational concern, defined by local policy, as to what impact,
> if any, it has on other protocols. Just as RFC 5280 does not define, for
> example, what forms of names to include within a distinguished name, I'm
> not convinced that this would even belong in 6962-bis, because it covers
> the operational aspects and implications of a PKI that may use, in part
> or whole, these RFCs.

--
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

_______________________________________________
Trans mailing list
Trans@ietf.org<mailto:Trans@ietf.org>
https://www.ietf.org/mailman/listinfo/trans

v2.23.0 | Report a Bug | By Email