Re: [Trans] Precertificate format

"Hill, Brad" <> Tue, 09 September 2014 19:59 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AF21B1A016F for <>; Tue, 9 Sep 2014 12:59:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -22.501
X-Spam-Status: No, score=-22.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CYgo5hLxbgnv for <>; Tue, 9 Sep 2014 12:59:03 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A181A1A0100 for <>; Tue, 9 Sep 2014 12:59:03 -0700 (PDT)
DomainKey-Signature: s=paypalcorp;; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: Content-Type:Content-ID:Content-Transfer-Encoding: MIME-Version:X-CFilter-Loop; b=fY3GKODnxKrTn1pTj8Gz8uAC3Nv4APwkr8qPf0MxafmIGqKQei30TgC1 eIf5fLqgr8W15NlG94qYPcM3/GvYu+S+EwXTaDC3tQO4nM/VF6BzrMQVh eqzyOw+KP6s7Aq4nbG8++6+Ao6c7gscJ0Pjy7830PM4NAR2Nz/QUwnYZ6 U=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=paypalcorp; t=1410292744; x=1441828744; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=uDDPGZdPQkpOlX1t5kcMcoFocBP/8ktD9q7X3XRmZKQ=; b=XgNgbplEdNU1u5zg4klySkggLBbDhQmc/d9J2punOW/TaDKUsIYsqxaX iTZ00Cz2wm8bMahKBA3mBzypT9l2nqBMF/B+5yoUjFM0wnmtFp5TlgCQk VKYD/7ZM2vGLGhs5zuC9mBrvSTiFf5hFm3fRTKjCu6M5Hx+QDhwbSMOOV s=;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="5.04,492,1406617200"; d="scan'208";a="66826249"
Received: from (HELO ([]) by with ESMTP; 09 Sep 2014 12:59:03 -0700
Received: from ([fe80::40c1:9cf7:d21e:46c]) by ([fe80::a487:c570:9abc:bb59%14]) with mapi id 14.03.0195.001; Tue, 9 Sep 2014 13:59:02 -0600
From: "Hill, Brad" <>
To: Stephen Kent <>
Thread-Topic: [Trans] Precertificate format
Date: Tue, 9 Sep 2014 19:59:02 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Cc: "" <>
Subject: Re: [Trans] Precertificate format
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 09 Sep 2014 19:59:05 -0000


Below was your original question, which I've attempted to answer in as straightforward a manner as possible, including illustrative examples from recent history.  Detecting mis-issuance of certificates through public logging of such is the stated goal of the I-D.  The complex nature of X.509/PKIX and the surrounding technology ecosystem and the history of vulnerabilities in such demonstrates that including everything in the log except that which MUST be excluded furthers that goal.  There is not a specific threat model nor any need to articulate one.  We desire a technology that is useful against as many threats to the broad certificate ecosystem as possible, including those yet to be formally anticipated.


On Sep 8, 2014, at 4:45 PM, Hill, Brad <> wrote:

>> I suggest that the CT designers list which data items from a cert that is being
>> logged need to be in the SCT request, and why each item has to be present. Maybe that
>> will show us how to avoid the concern that I and others have raised. It would also
>> provide us with a starting point for the format of a new data structure for the SCT
>> request, and the set of data that is input to the SCT hash computation.