IETF Logo Mail Archive

Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15

Ryan Sleevi <ryan-ietf@sleevi.com> Fri, 28 September 2018 21:36 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BE22128D68 for <trans@ietfa.amsl.com>; Fri, 28 Sep 2018 14:36:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ade_2ehuUGTZ for <trans@ietfa.amsl.com>; Fri, 28 Sep 2018 14:36:08 -0700 (PDT)
Received: from mail-io1-f52.google.com (mail-io1-f52.google.com [209.85.166.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F05F128BAC for <trans@ietf.org>; Fri, 28 Sep 2018 14:36:08 -0700 (PDT)
Received: by mail-io1-f52.google.com with SMTP id l7-v6so5242927iok.6 for <trans@ietf.org>; Fri, 28 Sep 2018 14:36:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HOFs6FqToR2uUH7vLr6HGl3E623EeV2m2bLKx1+9b20=; b=YWz7es/79zTMr01eWq5jaaZLmLkPiRytre3QFGmRtvrcFHFC/3iDstD6roRlsAUSYd yNznE2BZOHofF3gzptj0PJah5verjqn0FkXOF2/2+2BNJqRssSK4GdDRne59+ufr/WhC iF9g6pc/xDDKCBYX28xySiGTXuqLMlv1ziCgPYxvMXtAe1+mv+MAeBwiUyk36OK+AoUj EugDcroL/D7g4WE6t5sRaqFHh0R5f2gTlfzP33iwJyzP23sDbtTid5f71DTSFo1hT3Tk T3dsuzVp8yeYJq7ZwFKpoywDxpd+uhfYyox1h6/rkHpy/x3HLBBas4CiW6Yiyj9wtgxt QyDA==
X-Gm-Message-State: ABuFfoi/A5twPqt8ZYZVrH42ILYA+X11ZRSRrvj539+N6bff82Fg3eM0 pRneQkpYh2MhgGMOW24We8COaguup80=
X-Google-Smtp-Source: ACcGV61P84HjRUhOeVuNDef465ajoBoLV2xjSy6h/VOqDznLU5RHhxqqS3O29QFC4MhaBBG8Cv44+w==
X-Received: by 2002:a6b:7717:: with SMTP id n23-v6mr380782iom.88.1538170567243; Fri, 28 Sep 2018 14:36:07 -0700 (PDT)
Received: from mail-io1-f41.google.com (mail-io1-f41.google.com. [209.85.166.41]) by smtp.gmail.com with ESMTPSA id r202-v6sm2339846iod.28.2018.09.28.14.36.06 for <trans@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Sep 2018 14:36:06 -0700 (PDT)
Received: by mail-io1-f41.google.com with SMTP id l7-v6so5242895iok.6 for <trans@ietf.org>; Fri, 28 Sep 2018 14:36:06 -0700 (PDT)
X-Received: by 2002:a6b:e415:: with SMTP id u21-v6mr423496iog.78.1538170566504; Fri, 28 Sep 2018 14:36:06 -0700 (PDT)
MIME-Version: 1.0
References: <071bd596-07ec-fe8a-861c-3ef181fec848@gmail.com> <CAErg=HEschK1K9UwS79uOPjgeCxVy4cEDHzhCQxpJrc3LxqNDQ@mail.gmail.com> <20180928022909.GG24695@kduck.kaduk.org> <DM5PR14MB1116A7D338E1C53ADDEBFB3583EC0@DM5PR14MB1116.namprd14.prod.outlook.com> <CAErg=HGs14ZtTTUUmorRboZzJshxF5J_+XZ07-zExfXvY=Y2+w@mail.gmail.com> <DM5PR14MB1116115863D4B3811701170183EC0@DM5PR14MB1116.namprd14.prod.outlook.com>
In-Reply-To: <DM5PR14MB1116115863D4B3811701170183EC0@DM5PR14MB1116.namprd14.prod.outlook.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Fri, 28 Sep 2018 17:35:55 -0400
X-Gmail-Original-Message-ID: <CAErg=HFNo3YWOhkykav8w5dO8=ZdrsGsVHk2vs0yEo5wgJutTQ@mail.gmail.com>
Message-ID: <CAErg=HFNo3YWOhkykav8w5dO8=ZdrsGsVHk2vs0yEo5wgJutTQ@mail.gmail.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Ben Kaduk <kaduk@mit.edu>, Ryan Sleevi <ryan-ietf@sleevi.com>, Trans <trans@ietf.org>, "stephentkent@gmail.com" <stephentkent@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000038806b0576f53ef0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/xntQMPca-Tq2EpdXBQlbh2-z8Kk>
Subject: Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2018 21:36:10 -0000

On Fri, Sep 28, 2018 at 4:39 PM Tim Hollebeek <tim.hollebeek@digicert.com>
wrote:

> My comment is correct for the situation as it largely exists today.
>

>
> That it might be different in the future is a fair point.
>
>
No, it isn’t, as the numbers I just referenced should have made clear that
I am speaking about today, not the future.

The view that SCTs have to be included in certificates is not correct - not
correct by the text, not correct by the existing policies, and not correct
by the deployed reality. It is mistaken to keep suggesting such, because
this can be empirically demonstrated as not correct.

You can see this through the widescale deployment of Expect-CT by some
cloud providers - demonstrating millions of active sites, with both
existing and new certificates, without embedded SCTs.

That this is both the deployed reality and consistent with the -bis
recommendation is precisely why any attempt to ignore this is unproductive
to understanding the system as written.

Further, given how 6962 evolved - in which the largest adoption came as
large cloud providers automatically provided SCTs via TLS, and further
supported the ecosystem investigation while CAs waited for the ecosystem to
require it - it is entirely reasonable to say that every bit of available
evidence supports a view that -bis will be deployed in the same way, with
SCTs provided by all three methods.

v2.23.0 | Report a Bug | By Email