Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15
Ryan Sleevi <ryan-ietf@sleevi.com> Fri, 28 September 2018 21:36 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BE22128D68 for <trans@ietfa.amsl.com>; Fri, 28 Sep 2018 14:36:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ade_2ehuUGTZ for <trans@ietfa.amsl.com>; Fri, 28 Sep 2018 14:36:08 -0700 (PDT)
Received: from mail-io1-f52.google.com (mail-io1-f52.google.com [209.85.166.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F05F128BAC for <trans@ietf.org>; Fri, 28 Sep 2018 14:36:08 -0700 (PDT)
Received: by mail-io1-f52.google.com with SMTP id l7-v6so5242927iok.6 for <trans@ietf.org>; Fri, 28 Sep 2018 14:36:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HOFs6FqToR2uUH7vLr6HGl3E623EeV2m2bLKx1+9b20=; b=YWz7es/79zTMr01eWq5jaaZLmLkPiRytre3QFGmRtvrcFHFC/3iDstD6roRlsAUSYd yNznE2BZOHofF3gzptj0PJah5verjqn0FkXOF2/2+2BNJqRssSK4GdDRne59+ufr/WhC iF9g6pc/xDDKCBYX28xySiGTXuqLMlv1ziCgPYxvMXtAe1+mv+MAeBwiUyk36OK+AoUj EugDcroL/D7g4WE6t5sRaqFHh0R5f2gTlfzP33iwJyzP23sDbtTid5f71DTSFo1hT3Tk T3dsuzVp8yeYJq7ZwFKpoywDxpd+uhfYyox1h6/rkHpy/x3HLBBas4CiW6Yiyj9wtgxt QyDA==
X-Gm-Message-State: ABuFfoi/A5twPqt8ZYZVrH42ILYA+X11ZRSRrvj539+N6bff82Fg3eM0 pRneQkpYh2MhgGMOW24We8COaguup80=
X-Google-Smtp-Source: ACcGV61P84HjRUhOeVuNDef465ajoBoLV2xjSy6h/VOqDznLU5RHhxqqS3O29QFC4MhaBBG8Cv44+w==
X-Received: by 2002:a6b:7717:: with SMTP id n23-v6mr380782iom.88.1538170567243; Fri, 28 Sep 2018 14:36:07 -0700 (PDT)
Received: from mail-io1-f41.google.com (mail-io1-f41.google.com. [209.85.166.41]) by smtp.gmail.com with ESMTPSA id r202-v6sm2339846iod.28.2018.09.28.14.36.06 for <trans@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Sep 2018 14:36:06 -0700 (PDT)
Received: by mail-io1-f41.google.com with SMTP id l7-v6so5242895iok.6 for <trans@ietf.org>; Fri, 28 Sep 2018 14:36:06 -0700 (PDT)
X-Received: by 2002:a6b:e415:: with SMTP id u21-v6mr423496iog.78.1538170566504; Fri, 28 Sep 2018 14:36:06 -0700 (PDT)
MIME-Version: 1.0
References: <071bd596-07ec-fe8a-861c-3ef181fec848@gmail.com> <CAErg=HEschK1K9UwS79uOPjgeCxVy4cEDHzhCQxpJrc3LxqNDQ@mail.gmail.com> <20180928022909.GG24695@kduck.kaduk.org> <DM5PR14MB1116A7D338E1C53ADDEBFB3583EC0@DM5PR14MB1116.namprd14.prod.outlook.com> <CAErg=HGs14ZtTTUUmorRboZzJshxF5J_+XZ07-zExfXvY=Y2+w@mail.gmail.com> <DM5PR14MB1116115863D4B3811701170183EC0@DM5PR14MB1116.namprd14.prod.outlook.com>
In-Reply-To: <DM5PR14MB1116115863D4B3811701170183EC0@DM5PR14MB1116.namprd14.prod.outlook.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Fri, 28 Sep 2018 17:35:55 -0400
X-Gmail-Original-Message-ID: <CAErg=HFNo3YWOhkykav8w5dO8=ZdrsGsVHk2vs0yEo5wgJutTQ@mail.gmail.com>
Message-ID: <CAErg=HFNo3YWOhkykav8w5dO8=ZdrsGsVHk2vs0yEo5wgJutTQ@mail.gmail.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Ben Kaduk <kaduk@mit.edu>, Ryan Sleevi <ryan-ietf@sleevi.com>, Trans <trans@ietf.org>, "stephentkent@gmail.com" <stephentkent@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000038806b0576f53ef0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/xntQMPca-Tq2EpdXBQlbh2-z8Kk>
Subject: Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2018 21:36:10 -0000
On Fri, Sep 28, 2018 at 4:39 PM Tim Hollebeek <tim.hollebeek@digicert.com> wrote: > My comment is correct for the situation as it largely exists today. > > > That it might be different in the future is a fair point. > > No, it isn’t, as the numbers I just referenced should have made clear that I am speaking about today, not the future. The view that SCTs have to be included in certificates is not correct - not correct by the text, not correct by the existing policies, and not correct by the deployed reality. It is mistaken to keep suggesting such, because this can be empirically demonstrated as not correct. You can see this through the widescale deployment of Expect-CT by some cloud providers - demonstrating millions of active sites, with both existing and new certificates, without embedded SCTs. That this is both the deployed reality and consistent with the -bis recommendation is precisely why any attempt to ignore this is unproductive to understanding the system as written. Further, given how 6962 evolved - in which the largest adoption came as large cloud providers automatically provided SCTs via TLS, and further supported the ecosystem investigation while CAs waited for the ecosystem to require it - it is entirely reasonable to say that every bit of available evidence supports a view that -bis will be deployed in the same way, with SCTs provided by all three methods.
- [Trans] responses to Ryan's detailed comments on … Stephen Kent
- Re: [Trans] responses to Ryan's detailed comments… Ryan Sleevi
- Re: [Trans] responses to Ryan's detailed comments… Benjamin Kaduk
- Re: [Trans] responses to Ryan's detailed comments… Stephen Kent
- Re: [Trans] responses to Ryan's detailed comments… Stephen Kent
- Re: [Trans] responses to Ryan's detailed comments… Tim Hollebeek
- Re: [Trans] responses to Ryan's detailed comments… Ryan Sleevi
- Re: [Trans] responses to Ryan's detailed comments… Tim Hollebeek
- Re: [Trans] responses to Ryan's detailed comments… Ryan Sleevi