Re: [Trans] Question about PRIVATE option (Ticket #1)
Rick Andrews <Rick_Andrews@symantec.com> Tue, 11 March 2014 20:35 UTC
Return-Path: <Rick_Andrews@symantec.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E012E1A072C for <trans@ietfa.amsl.com>; Tue, 11 Mar 2014 13:35:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.448
X-Spam-Level:
X-Spam-Status: No, score=-7.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y4z22lS8iZgZ for <trans@ietfa.amsl.com>; Tue, 11 Mar 2014 13:35:24 -0700 (PDT)
Received: from tus1smtoutpex02.symantec.com (tus1smtoutpex02.symantec.com [216.10.195.242]) by ietfa.amsl.com (Postfix) with ESMTP id A4AF91A0643 for <trans@ietf.org>; Tue, 11 Mar 2014 13:35:24 -0700 (PDT)
X-AuditID: d80ac3f2-b7faf8e000001cd7-77-531f73866b87
Received: from tus1opsmtapin02.ges.symantec.com (tus1opsmtapin02.ges.symantec.com [192.168.214.44]) by tus1smtoutpex02.symantec.com (Symantec Brightmail Gateway out) with SMTP id 5A.1A.07383.6837F135; Tue, 11 Mar 2014 20:35:18 +0000 (GMT)
Received: from [155.64.220.138] (helo=TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM) by tus1opsmtapin02.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <Rick_Andrews@symantec.com>) id 1WNTOQ-0002H7-II; Tue, 11 Mar 2014 20:35:18 +0000
Received: from TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM ([155.64.220.147]) by TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM ([155.64.220.138]) with mapi; Tue, 11 Mar 2014 13:35:18 -0700
From: Rick Andrews <Rick_Andrews@symantec.com>
To: Rob Stradling <rob.stradling@comodo.com>, "trans@ietf.org" <trans@ietf.org>
Date: Tue, 11 Mar 2014 13:35:17 -0700
Thread-Topic: [Trans] Question about PRIVATE option (Ticket #1)
Thread-Index: Ac89FXVdn4HIaBQwQdahl3YIoc6L0QAU3pfQ
Message-ID: <544B0DD62A64C1448B2DA253C011414607C77BCCBE@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
References: <544B0DD62A64C1448B2DA253C011414607C70EAF9E@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <531EE6A6.7000007@comodo.com>
In-Reply-To: <531EE6A6.7000007@comodo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIIsWRmVeSWpSXmKPExsVyYMU1Hd22Yvlgg92dGhaLGhezWqx9fJHF gcnj0pLZjB5LlvxkCmCK4rJJSc3JLEst0rdL4MrY2XWbveC1cMW2PUdYGxhv8ncxcnJICJhI vL/RzA5hi0lcuLeerYuRi0NI4AOjxLLLB1kgnFeMEqvP72CGcFYxSkzv388G0sImoCex5fEV sHYRgUCJk9/WsILYLAKqEn3rJoHFhQXsJFY8ncIIUWMv8aC5Aco2kvh4fBoTiM0rECUxp6sP rFdIoEpietMHsPmcAloS/R8WMYPYjEDnfT+1BqyeWUBc4taT+UwQZwtILNlznhnCFpV4+fgf K0S9qMSd9vWMEPU6Egt2f2KDsLUlli18zQyxV1Di5MwnLBMYxWYhGTsLScssJC2zkLQsYGRZ xShTUlpsWJxbkl9aUpBaYWCkV1yZmwiMpmS95PzcTYzAiLrBdfjTDsYbSxUPMQpwMCrx8N5P kQ8WYk0sA6o8xCjBwawkwvtREyjEm5JYWZValB9fVJqTWnyIUZqDRUmcd0n6iiAhgfTEktTs 1NSC1CKYLBMHp1QD4/TdHZNX/jRNflmW9bv3j4uqtbzOvusnDn0+d/jE/qZbhqunXX/8f9LH ae8U2KZfv6GXVehQHXrT5aJ2xSKWMqX2QyWFSw8lBu3P/7Q6W7PigB5zzO0WRZcv3WvFTk0z 4Ak6YHuYYdGUWWWX4872X2mu+FrtsaKnNLx6ybvtZmb1K7aY/lR4YqrEUpyRaKjFXFScCABz oCDopAIAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/xo_lFKmDYcNh6DmYsyb4va9L0bY
Subject: Re: [Trans] Question about PRIVATE option (Ticket #1)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 20:35:27 -0000
Rob, What you're suggesting is that the add-pre-chain command can be used to log a cert that ultimately will not include the SCTs in the final cert? That seems like a path forward. For the slight complication you describe, I suppose that needs to be added to the issue tracker. -Rick > -----Original Message----- > From: Rob Stradling [mailto:rob.stradling@comodo.com] > Sent: Tuesday, March 11, 2014 3:34 AM > To: Rick Andrews; trans@ietf.org > Subject: Re: [Trans] Question about PRIVATE option (Ticket #1) > > Rick, thanks for raising this. I agree that we need to make the > PRIVATE > option work in these scenarios. As it happens, I mentioned this to Ben > just before the trans meeting last week. > > My suggestion is that we should permit both Certificate SCTs _and > Precertificate SCTs_ to be delivered via OCSP Stapling and the TLS > Extension. > > There's no reason why a Precertificate couldn't be issued _after_ the > corresponding Certificate has been issued! :-) > > Would this work for you? > > > Slight complication... > In the SCT v1 format, entry_type is "implicit from the context in which > the SCT is presented." > So, for the above idea to work, we would need to either: > i) Define SCT v2, in which entry_type is expressed explicitly. > or > ii) Define a CtExtensions extension to carry the entry_type > explicitly in a v1 SCT. > or > iii) Expect TLS Clients to attempt to verify v1 SCTs sent via OCSP > Stapling or the TLS Extension twice (first time, assume entry_type is > "x509_entry"; if the SCT signature doesn't verify, try again, this time > assuming entry_type is "precert_entry"). > > On 10/03/14 18:58, Rick Andrews wrote: > > Regarding Issue #1: _http://tools.ietf.org/wg/trans/trac/ticket/1#_ > > "Need options for avoiding logging private subdomains", I think the > > design is not yet complete. > > I understand how this works when my customer has chosen the precert > > delivery option (I mask the second level domain in the precert that I > > send with the add-pre-chain command). > > But if my customer has chosen to deliver SCTs via OCSP staple or TLS > > extension, and they want to keep their subdomain private, what do I > do? > > I'm going to sign the cert without SCTs in it, but if I log it via an > > add-chain command, the subdomains will be visible in the log. > > -Rick > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online
- [Trans] Question about PRIVATE option (Ticket #1) Rick Andrews
- Re: [Trans] Question about PRIVATE option (Ticket… Rob Stradling
- Re: [Trans] Question about PRIVATE option (Ticket… Rick Andrews
- Re: [Trans] Question about PRIVATE option (Ticket… Rob Stradling
- Re: [Trans] Question about PRIVATE option (Ticket… Eran Messeri
- Re: [Trans] Question about PRIVATE option (Ticket… Rob Stradling
- [Trans] Another Question about the PRIVATE option… Rick Andrews
- Re: [Trans] Another Question about the PRIVATE op… Ben Laurie
- Re: [Trans] Another Question about the PRIVATE op… Rob Stradling
- Re: [Trans] Another Question about the PRIVATE op… Phillip Hallam-Baker
- Re: [Trans] Another Question about the PRIVATE op… Daniel Kahn Gillmor
- Re: [Trans] Another Question about the PRIVATE op… Ben Laurie
- Re: [Trans] Another Question about the PRIVATE op… Daniel Kahn Gillmor
- Re: [Trans] Another Question about the PRIVATE op… Ben Laurie
- Re: [Trans] Another Question about the PRIVATE op… Ben Laurie