Re: [Trans] Precertificate format

"Hill, Brad" <bhill@paypal.com> Tue, 09 September 2014 19:59 UTC

Return-Path: <bhill@paypal.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF21B1A016F for <trans@ietfa.amsl.com>; Tue, 9 Sep 2014 12:59:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.501
X-Spam-Level:
X-Spam-Status: No, score=-22.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CYgo5hLxbgnv for <trans@ietfa.amsl.com>; Tue, 9 Sep 2014 12:59:03 -0700 (PDT)
Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com [216.113.175.152]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A181A1A0100 for <trans@ietf.org>; Tue, 9 Sep 2014 12:59:03 -0700 (PDT)
DomainKey-Signature: s=paypalcorp; d=paypal.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: Content-Type:Content-ID:Content-Transfer-Encoding: MIME-Version:X-CFilter-Loop; b=fY3GKODnxKrTn1pTj8Gz8uAC3Nv4APwkr8qPf0MxafmIGqKQei30TgC1 eIf5fLqgr8W15NlG94qYPcM3/GvYu+S+EwXTaDC3tQO4nM/VF6BzrMQVh eqzyOw+KP6s7Aq4nbG8++6+Ao6c7gscJ0Pjy7830PM4NAR2Nz/QUwnYZ6 U=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal.com; i=@paypal.com; q=dns/txt; s=paypalcorp; t=1410292744; x=1441828744; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=uDDPGZdPQkpOlX1t5kcMcoFocBP/8ktD9q7X3XRmZKQ=; b=XgNgbplEdNU1u5zg4klySkggLBbDhQmc/d9J2punOW/TaDKUsIYsqxaX iTZ00Cz2wm8bMahKBA3mBzypT9l2nqBMF/B+5yoUjFM0wnmtFp5TlgCQk VKYD/7ZM2vGLGhs5zuC9mBrvSTiFf5hFm3fRTKjCu6M5Hx+QDhwbSMOOV s=;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="5.04,492,1406617200"; d="scan'208";a="66826249"
Received: from den-vteml-003.corp.ebay.com (HELO DEN-EXMHT-004.corp.ebay.com) ([10.101.112.119]) by den-mipot-001.corp.ebay.com with ESMTP; 09 Sep 2014 12:59:03 -0700
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-004.corp.ebay.com ([fe80::a487:c570:9abc:bb59%14]) with mapi id 14.03.0195.001; Tue, 9 Sep 2014 13:59:02 -0600
From: "Hill, Brad" <bhill@paypal.com>
To: Stephen Kent <kent@bbn.com>
Thread-Topic: [Trans] Precertificate format
Thread-Index: AQHPy5XLYSwX2tnWQEaqKCD7yx+AWJv4EOYAgAA6mQCAAVLrAA==
Date: Tue, 09 Sep 2014 19:59:02 +0000
Message-ID: <5B08EB66-1A0F-4FAC-90BE-11949471F0BF@paypal.com>
References: <540DFA75.2040000@gmail.com> <540E0E90.1070208@bbn.com> <4B184DAD-3C7A-4032-8BA6-634736BB2689@paypal.com>
In-Reply-To: <4B184DAD-3C7A-4032-8BA6-634736BB2689@paypal.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.246.206.6]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <82E9EAD1211B4447B94946FAACAF40A8@corp.ebay.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/vbi6cOZKeoK27DcVsrpxRCDqbFE
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Precertificate format
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 19:59:05 -0000

Stephen,

Below was your original question, which I've attempted to answer in as straightforward a manner as possible, including illustrative examples from recent history.  Detecting mis-issuance of certificates through public logging of such is the stated goal of the I-D.  The complex nature of X.509/PKIX and the surrounding technology ecosystem and the history of vulnerabilities in such demonstrates that including everything in the log except that which MUST be excluded furthers that goal.  There is not a specific threat model nor any need to articulate one.  We desire a technology that is useful against as many threats to the broad certificate ecosystem as possible, including those yet to be formally anticipated.

-Brad

On Sep 8, 2014, at 4:45 PM, Hill, Brad <bhill@paypal.com> wrote:

>> I suggest that the CT designers list which data items from a cert that is being
>> logged need to be in the SCT request, and why each item has to be present. Maybe that
>> will show us how to avoid the concern that I and others have raised. It would also
>> provide us with a starting point for the format of a new data structure for the SCT
>> request, and the set of data that is input to the SCT hash computation.