Re: [Trans] Redaction

Steve Medin <Steve_Medin@symantec.com> Tue, 13 December 2016 03:10 UTC

Return-Path: <Steve_Medin@symantec.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4536B12A058 for <trans@ietfa.amsl.com>; Mon, 12 Dec 2016 19:10:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.117
X-Spam-Level:
X-Spam-Status: No, score=-7.117 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIrjuUZftvHE for <trans@ietfa.amsl.com>; Mon, 12 Dec 2016 19:10:46 -0800 (PST)
Received: from asbsmtoutape01.symantec.com (asbsmtoutape01.symantec.com [155.64.138.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F35512A056 for <trans@ietf.org>; Mon, 12 Dec 2016 19:10:46 -0800 (PST)
Received: from asbsmtmtaapi02.symc.symantec.com (asb1-f5-symc-ext-prd-snat6.net.symantec.com [10.90.75.6]) by asbsmtoutape01.symantec.com (Symantec Messaging Gateway) with SMTP id AA.88.03942.2B66F485; Tue, 13 Dec 2016 03:10:44 +0000 (GMT)
X-AuditID: 0a5af819-dcd5b9a000000f66-67-584f66b42f02
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (asb1-f5-symc-ext-prd-snat4.net.symantec.com [10.90.75.4]) by asbsmtmtaapi02.symc.symantec.com (Symantec Messaging Gateway) with SMTP id DC.6C.04050.FA66F485; Tue, 13 Dec 2016 03:10:42 +0000 (GMT)
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Mon, 12 Dec 2016 19:10:38 -0800
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (10.44.128.6) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Mon, 12 Dec 2016 19:10:38 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symc.onmicrosoft.com; s=selector1-symantec-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=boJ7X3/qZy0mD96oZoI9fMLkBBbxaovJXYvuBO91ljg=; b=LoQdKrBHLnQ4Ocv6qLs1mHSyeetextx+iKay+FhTz7Fkowz68GTA2PyV8D54UjMWnLwyS6a6BG+WZfb94SWnkMi3awcKp9vNVprO5ImmdO2BCc1eVnRGBX9cH2odLbWTVpMnuR9y3qMmQSrlWblr7AHeTnlVbu68T2SzdYbUGCA=
Received: from BLUPR16MB0449.namprd16.prod.outlook.com (10.164.16.19) by BLUPR16MB0450.namprd16.prod.outlook.com (10.164.16.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.761.9; Tue, 13 Dec 2016 03:10:36 +0000
Received: from BLUPR16MB0449.namprd16.prod.outlook.com ([10.164.16.19]) by BLUPR16MB0449.namprd16.prod.outlook.com ([10.164.16.19]) with mapi id 15.01.0771.014; Tue, 13 Dec 2016 03:10:35 +0000
From: Steve Medin <Steve_Medin@symantec.com>
To: Peter Bowen <pzbowen@gmail.com>
Thread-Topic: [Trans] Redaction
Thread-Index: AdJUlksjv9TRzUd9SniOmObi+d+60QAL810AAAFHujAAAF07gAAHr5cw
Date: Tue, 13 Dec 2016 03:10:35 +0000
Message-ID: <BLUPR16MB044972FF0B34A5EB5B8E46A8EA9B0@BLUPR16MB0449.namprd16.prod.outlook.com>
References: <6268e70318aa4ba2acf869829fcb62c3@EX2.corp.digicert.com> <20161212222134.GM11153@hezmatt.org> <BLUPR16MB0449CBDA428C59F1101625D4EA980@BLUPR16MB0449.namprd16.prod.outlook.com> <CAK6vND8Jo8UERBvqo0-rTJjRzi61NBzKXJhBdwTq_5Azgh0D1Q@mail.gmail.com>
In-Reply-To: <CAK6vND8Jo8UERBvqo0-rTJjRzi61NBzKXJhBdwTq_5Azgh0D1Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Steve_Medin@symantec.com;
x-originating-ip: [155.64.138.28]
x-ms-office365-filtering-correlation-id: 3578a6aa-488f-4c3d-f971-08d423059b99
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:BLUPR16MB0450;
x-microsoft-exchange-diagnostics: 1; BLUPR16MB0450; 7:ZsJc5BUQeGb9ThzCFQ6h1cwo9S69aS3magRVZWbEyazCZAlIdn62Rrt3e8dNozeAPR1wLHih07DqOXcDvgL4IGEPk2bJcpVW4aEpOOml1S7EwZHKk6YY+fKPXJnBuxiz7MP1Ld2O9cnvSpl4PScC8fCAVibyUjDLtMgQM5wq/RTHzLbykXi62JZKFuVdvN9Dfm9N2jBXw5EkqtpN8niS34Ff9Od8AXqs0wAw5MpjUZ3rESwIy39UTcNfwiQ7AdviqzJqNoEtC/wsdrNS0LEKYcdbVr+PjXQcFiLYE6JrujVBIqMHpZKQyRUwEAqt0d+fIXmqE8MqkYobuG7KHiRt/5ZePTgoKBCzLIB/oObuUSbDrzKpk4thEeYEY4E83NL87zrxlQBDw0QWc3Cm6QZ8OEnWRGbJBqDAFtAAapmCM36rtuVtS4sHpjG6KyocFOj7wn4qS+W2gEXOxYpxRgoDxA==
x-microsoft-antispam-prvs: <BLUPR16MB0450A8A898DCB2DF6EE9AFF8EA9B0@BLUPR16MB0450.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123564025)(20161123562025)(20161123555025)(20161123560025)(6072148); SRVR:BLUPR16MB0450; BCL:0; PCL:0; RULEID:; SRVR:BLUPR16MB0450;
x-forefront-prvs: 01559F388D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(39830400002)(39410400002)(39450400003)(13464003)(24454002)(377454003)(189002)(199003)(76176999)(74316002)(99936001)(68736007)(106356001)(6506006)(80792005)(50986999)(54356999)(122556002)(105586002)(8936002)(99286002)(97736004)(101416001)(77096006)(38730400001)(5660300001)(39060400001)(110136003)(33656002)(6916009)(93886004)(2950100002)(229853002)(7696004)(3660700001)(76576001)(3280700002)(9686002)(6436002)(7736002)(86362001)(305945005)(8676002)(4326007)(2906002)(66066001)(2900100001)(1411001)(92566002)(189998001)(81156014)(10290500002)(81166006)(102836003)(3846002)(6116002)(9010500006); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR16MB0450; H:BLUPR16MB0449.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: symantec.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_020F_01D254C4.8EB05650"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Dec 2016 03:10:35.6088 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR16MB0450
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrBKsWRmVeSWpSXmKPExsXCFeXNprslzT/C4NdVS4ue1qtMFv8fvGSx WPv4IosDs8fOWXfZPaa9P8bmsWTJT6YA5igum5TUnMyy1CJ9uwSujK+X1zEXXPKqmHHgKVMD 4xu3LkZODgkBE4njy7+zdzFycQgJfGSU2LBlHpDDAZZYeMIdIv6NUeLptn2sEM4RRolnxycz QjgvGCVmdmxkBnFYBDqZJVb0fIAqm8wksWrRFCa4ntmN/1lBNrIJ6Ejs3tHIBmKLCChL/GxY CLaQWcBDYupBOZCwsICcxNyb25khSuQlLuydxgRhu0nMa3kGFmcRUJVY8WApmM0rECOxd+dD qCdamSQ2vWthB0lwCgRKbO/eCLaXUUBM4vupNWCDmAXEJW49mc8ECQERiYcXT7NB2KISLx// g6qPlujYsZ4FEhiKEntPV0KU+Epc2LSZEcb+c+cY2F4JgR4Wibm/L0DNyZZYvvQaVJGWRMeR WUwQRVOZJI7OWsYMkZCR2DxvJ9sERt1ZSG6aBVTHLLCQUWJJz3/2WWDfCUqcnPmEBaJIW+Lp zadQtrzE9rdzmCFsa4kZvw6yQdiKElO6H7JD2KYSr49+ZFzAyLGKUSGxOKk4tyS/tCSxINXA UK+4MjcZRCQCU1iyXnJ+7iZGcBr7IbmD8cgJn0OMAhyMSjy802L8I4RYE8uAKg8xqgCNfLRh 9QVGKZa8/LxUJRFe5yigNG9KYmVValF+fFFpTmrxIUZpDhYlcd4FkW4RQgLpiSWp2ampBalF MFkmDk6pBsazflWTn3hEfFM+5yjfcKN5VWRL8fRrcpP8Jog5KlfMfTNnkkbQOcU/Pplqd3b0 Xdz6VDc6lU1R5919Wa9/TWd2aMQlHu7/rPprrXtGZLO3Xd3aUq5ZSb6BriG3XtyPupIgZxUi ap82O/gO85qlqRwvphSwzapKkbtTbeklpdP35mpluhnXfiWW4oxEQy3mouJEAIh5yaFrAwAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOKsWRmVeSWpSXmKPExsXCFeXNorspzT/CYMNJLYue1qtMFv8fvGSx WPv4IosDs8fOWXfZPaa9P8bmsWTJT6YA5igum5TUnMyy1CJ9uwSujK+X1zEXXPKqmHHgKVMD 4xu3LkYODgkBE4mFJ9y7GLk4hAS+MUo83baPFcI5wijx7PhkRgjnBaPEzI6NzCAOi0Ans8SK ng9QZZOZJFYtmsIE1zO78T9QhpODTUBHYveORjYQW0RAWeJnw0J2kIXMAh4SUw/KgYSFBeQk 5t7czgxRIi9xYe80JgjbTWJeyzOwOIuAqsSKB0vBbF6BGIm9Ox+yQ+xqZZLY9K6FHSTBKRAo sb17I9heRgExie+n1oANYhYQl7j1ZD6YLSEgIvHw4mk2CFtU4uXjf1D10RIdO9azQAJDUWLv 6UqIEl+JC5s2M8LYf+4cA9srIdDDIjH39wWoOdkSy5degyrSkug4MosJomgqk8TRWcuYIRIy Epvn7WSDSMxlkzjS8pQRZJuQQKrE9hnqExi1ZiG5dRZQGbPAQkaJJT3/2WeBfS0ocXLmExaI Im2JpzefQtnyEtvfzmGGsK0lZvw6yAZhK0pM6X7IDmGbSrw++pFxASPHKkaFxOKk4tyS3JLE xIJMAyO94srcZBCRCExgyXrJ+bmbGMFJ7Lf4DsZzf3wOMQpwMCrx8D6Q9Y8QYk0sA6o8xKgC NPLRhtUXGKVY8vLzUpVEeJ2jgNK8KYmVValF+fFFpTmpxYcYpTlYlMR5hTf+DxcSSE8sSc1O TS1ILYLJMnFwSjUwqoUydhrw7IjN+bRkS+OW3rfuMhuFrBQe7ouLs6lzWKfyKqM15lYde3nu Gv21CY/zPiYZxP0VUFI7nfjsktk/6RmvMrpED4mddK5cIrrne1Wt4/HPG7urA/SuZGUwy+hn 2y65flSt5BZ7yZG5zf39Kye38u7/xdB701NzFrviZ43VAUwp+S5KLMUZiYZazEXFiQDfsNrS agMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/xx2dg_VMxAV4zHKnnegaKyDs0PE>
Cc: Matt Palmer <mpalmer@hezmatt.org>, "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Redaction
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2016 03:10:48 -0000

Yea, but when I talk about the Plex Pass certs, I'm not on the internal 
network privacy concern that split-horizon suits, I'm talking about how TCSC 
fits customers with static and limited domain ownership.

The concern I saw in my recent past was needing to frequently add names to a 
name constraint extension, and managing N generations of intermediate CAs as 
they are expanded with new public domain realty present in external DNS and 
directory names that represent localized global brand presence and expansion.

In that same past, I produced a 23kb TCSC as an interim to a dynamically 
modified managed service and enterprise RA. Fortunately, it broke zero 
browsers.

> -----Original Message-----
> From: Peter Bowen [mailto:pzbowen@gmail.com]
> Sent: Monday, December 12, 2016 6:09 PM
> To: Steve Medin <Steve_Medin@symantec.com>
> Cc: Matt Palmer <mpalmer@hezmatt.org>; trans@ietf.org
> Subject: Re: [Trans] Redaction
>
> On Mon, Dec 12, 2016 at 3:02 PM, Steve Medin
> <Steve_Medin@symantec.com> wrote:
> > Yea, I'm stunned that 50% of respondents can operate in the strait
> > jacket of TCSC, although I can see that working for Plex's customer IP
> > address privacy concern.
>
> TCSC aligns with split-horizon DNS perfectly, so I'm not at all surprised at 
> this
> result.