Re: [Trans] Precertificates and revocation
Eran Messeri <eranm@google.com> Thu, 03 October 2019 10:03 UTC
Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F20A120119 for <trans@ietfa.amsl.com>; Thu, 3 Oct 2019 03:03:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Msn7R25dsDj for <trans@ietfa.amsl.com>; Thu, 3 Oct 2019 03:03:05 -0700 (PDT)
Received: from mail-yw1-xc2a.google.com (mail-yw1-xc2a.google.com [IPv6:2607:f8b0:4864:20::c2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A030120113 for <trans@ietf.org>; Thu, 3 Oct 2019 03:03:05 -0700 (PDT)
Received: by mail-yw1-xc2a.google.com with SMTP id i207so775360ywc.9 for <trans@ietf.org>; Thu, 03 Oct 2019 03:03:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+BQEcVAKL8zIh05aSzVzACi3gDAcwqShGXH5zcJIp+w=; b=XenRMXR4Ul/OsJRkPuIj6xu0lCs4rRriDWgyDmp0YUkzJ4NU+LxjTGRKPBB1v74a2K KEG89p4Jj0ZyKB2IZFLQBD2rLXyc8pndHlGg0Y+iIVrzxjpyYNNSWQUGGiTFheYo5jMT 7QoM2w28puHotAp9E4lkftyQ3SY4Vgdfl3ADtYYXf9PNqkrNimCBWp13Qe/IJtq5ztiN TxoW2yWxko8w3wzJbzCabPBRQW7cpbLRv/1E4FOqUY70/wkqF6osCzuhLzl4x4XyRTyx 5SW3g4e/N2HhMHTgXLIa0z9kFzSWneMLV+W/G/lW2SF39p4krIFN5L/jFlA1KSG57lKB XLHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+BQEcVAKL8zIh05aSzVzACi3gDAcwqShGXH5zcJIp+w=; b=kRfFlHqDWGikT40vIUttPxq+0s6R9TmoG8cHpl7QOGb1cut8e68KXlBMXMVKCB6XIX EXbF94dIIhcz7vayExeSVFQCQpXPAsFg36RXGo9Ijan9vrni4VceS8GHN1hlRtTALvfW D1T2ZA436yP9IwPrsA1pF2YGdHuifhVkEbRN94EZ5kf7G8TSd+atYskfvGv07EFhFR0N 4Flkg4vG/coCC1bdTTco4P1rK5kSlqopLYozIvetrC2NU2IiHFDCHdFuaj26onU7VoC2 9J3yi642hgsLHoxF//wYZbYW7yt4n7fH19pEK9tSAGjfGZNe8NJHG6KvsQmEsI0dzKQ9 4+lg==
X-Gm-Message-State: APjAAAUu7ehPB4N7r2o5AFCGLl5LJ2cs17hq+GDvMdmOyIVe3wrE6gTB V5m+3HOU7eWOZg0r1uJbMYEXUJfDRj6xqH2NY6uFWw==
X-Google-Smtp-Source: APXvYqzzyC7BQ2eLDFX+aQDTI0tJewBWmJzNr0eum9RYsP6jUd7IrbT0ZryPXij1DU2RwZiWh+U/gUxzTtCICTOKzN0=
X-Received: by 2002:a81:3182:: with SMTP id x124mr5361165ywx.411.1570096982803; Thu, 03 Oct 2019 03:03:02 -0700 (PDT)
MIME-Version: 1.0
References: <20190916100800.5b62d43c0f28e30269f41b7a@andrewayer.name> <21a9ea1e-124b-3bf2-72f5-4dc755d4061b@sectigo.com> <CAErg=HHcG8p_6NAzKyDYg+gPpF6p7F688pSD+qD+shcFdr9vRA@mail.gmail.com> <39d0ea14-36ca-b311-91df-074c1346f8c3@sectigo.com> <CALzYgEciP=y401SWQhsCc71tbFVVFZ0W5S929QStXqJ1EQfFog@mail.gmail.com> <DM6PR17MB3162ED32E10F53952FD61FA2AA860@DM6PR17MB3162.namprd17.prod.outlook.com>
In-Reply-To: <DM6PR17MB3162ED32E10F53952FD61FA2AA860@DM6PR17MB3162.namprd17.prod.outlook.com>
From: Eran Messeri <eranm@google.com>
Date: Thu, 03 Oct 2019 11:02:35 +0100
Message-ID: <CALzYgEd5Q-UGMiHS4+nRjUvAt-YneMW0W1m=377kb8qzA4oxgg@mail.gmail.com>
To: Rob Stradling <rob@sectigo.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ecae420593feb0ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/t_ylcYzC60EXuHxgU7-5AgOwz-M>
Subject: Re: [Trans] Precertificates and revocation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2019 10:03:08 -0000
That reasoning makes sense to me. If 6962-bis precertificate is not a certificate but 6962-bis states that the existence of a precertificate indicates intent to issue a certificate, then checking whether the final certificate has been issued/revoked via OCSP makes sense. On Thu, Sep 26, 2019 at 5:40 PM Rob Stradling <rob@sectigo.com> wrote: > Hi Eran. OCSP (RFC6960, RFC5019) responses and CRLs (RFC5280) provide > status information for certificates (RFC5280). In CTv1 (RFC6962), > precertificates are certificates; whereas in CTv2 (6962-bis), > precertificates are (by design!) not certificates. > > The "effective MUST NOT" is because anything that is not a certificate (be > it a CTv2 precertificate, a cat GIF, or whatever) is not in scope for OCSP, > as currently specified. > > The fact that a CTv2 precertificate has a serial number that is intended > to subsequently belong to a certificate makes it possible to imagine > extending the OCSP protocol to report statuses of CTv2 precertificates. > But until the OCSP protocol is extended in this way, the fact is that...the > OCSP protocol has not yet been extended in this way. > > I think 6962-bis should extend the OCSP protocol in this way. If it can > be avoided, I don't think it should be left to CT client policies to extend > IETF protocols. > > ------------------------------ > *From:* Eran Messeri <eranm@google.com> > *Sent:* 25 September 2019 17:58 > *To:* Rob Stradling <rob@sectigo.com> > *Cc:* Ryan Sleevi <ryan-ietf@sleevi.com>; trans@ietf.org <trans@ietf.org> > *Subject:* Re: [Trans] Precertificates and revocation > > Rob, what leads you to say that "6962-bis has an effective MUST NOT" > regarding the CA not having to provide status information for a 6962-bis > precertificate? > > I agree it'd be helpful to add a clarification in 6962-bis regarding CAs > possibly being asked about revocation status of a not-yet-issued > certificate. I just want to understand where 6962-bis prevents CAs from > publishing revocation info for 6962-bis precerts. > > On Mon, Sep 23, 2019 at 12:21 PM Rob Stradling <rob@sectigo.com> wrote: > > If 6962-bis says nothing about this topic, then ISTM that the default > effective requirement will be that a CA MUST NOT provide OCSP status for > a (CT v2) precertificate where the corresponding certificate has not > (yet) been issued. This is because, whichever way you look at it, a CT > v2 precertificate is not a "certificate" according to > RFC5280/RFC6960/RFC5019. > > I agree that a statement such as "CAs MUST provide OCSP status for CT v2 > precertificates" would not belong in 6962-bis, but would instead belong > in a TLS client policy document. However, I would prefer to avoid the > situation where 6962-bis has an effective MUST NOT but where (some, but > not necessarily all) TLS client policies have a MUST. In order to avoid > such a conflict, I think it would be helpful for 6962-bis to outline the > policy space by making the following points: > > 1. Since issuance of a precertificate `P` is a binding commitment to > issue a corresponding certificate `C`, monitors may reasonably assume > that `C` has been issued. > 2. It follows that monitors may wish to request status information > (e.g., via CRL and/or OCSP) for the serial number of `P`, even though > (unbeknownst to the monitor) `C` has not actually been issued. > 3. Although `P` is not a "certificate" according to > RFC5280/RFC6960/RFC5019, some TLS clients may have policies that require > CAs to provide certificate status (e.g., signed OCSP responses and/or > CRLs) for the serial number of `P`, regardless of whether or not `C` has > been issued. > > Making these points would transform 6962-bis's effective requirement > from a MUST NOT into a MAY. A TLS client policy could then profile that > to a MUST without introducing any conflict. > > ISTM that this approach of outlining the policy space but not setting > policy would be consistent with, for example, > https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-33#section-6.1. > > On 20/09/2019 17:16, Ryan Sleevi wrote: > > As I mentioned elsewhere, I'm not sure this is an entirely useful or > > productive concern to be raising at this time. I have also shared that I > > think this is a question of policy than protocol, even though the policy > > decision has implications on other protocols. Thus I think it's much > > more appropriately discussed among individual implementations. > > > > As a protocol for allowing both the pre-disclosure of a certificate and > > post-disclosure of a certificate. We saw, rather extensively in the > > Threat Model document, different perspectives on policies regarding how > > pre-disclosure should be treated and handled. For example, using the > > protocol in 6962 or -bis, it's possible to use CT as a means of > > detecting and correcting certificates prior to issuance (the discussion > > about Logs applying rules to certificates). Similarly, it's possible for > > CT as a protocol to be used entirely internal to an organization, as > > part of audit logging for external audits via a common protocol, even > > with the inclusion of data that might otherwise be inappropriate for > > publicly-exposed logs. > > > > So I do think that, from the point of view of the RFCs, it's a matter of > > policy as to how the existence of a pre-certificate is treated, which > > aligns with the particular intended deployment of the CT protocol. If a > > policy (e.g. by a browser, for the Web PKI) treats the issuance of a > > pre-certificate as an unrebuttable proof of an equivalent certificate, > > which is certainly one of the core things CT enables policy to state, > > then it naturally follows that it must be treated as such within > > protocols that are keyed on the issuance of certificates. > > > > It's an operational concern, defined by local policy, as to what impact, > > if any, it has on other protocols. Just as RFC 5280 does not define, for > > example, what forms of names to include within a distinguished name, I'm > > not convinced that this would even belong in 6962-bis, because it covers > > the operational aspects and implications of a PKI that may use, in part > > or whole, these RFCs. > > -- > Rob Stradling > Senior Research & Development Scientist > Sectigo Limited > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans > >
- [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Ryan Sleevi
- Re: [Trans] Precertificates and revocation Erwann Abalea
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Eran Messeri
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Eran Messeri
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Rob Stradling
- Re: [Trans] Precertificates and revocation Paul Wouters