Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15
Stephen Kent <stephentkent@gmail.com> Fri, 28 September 2018 14:21 UTC
Return-Path: <stephentkent@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 269CE130DE3 for <trans@ietfa.amsl.com>; Fri, 28 Sep 2018 07:21:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cejG6yr1PhSL for <trans@ietfa.amsl.com>; Fri, 28 Sep 2018 07:21:50 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84290128C65 for <trans@ietf.org>; Fri, 28 Sep 2018 07:21:50 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id v18-v6so3917893qka.10 for <trans@ietf.org>; Fri, 28 Sep 2018 07:21:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=nc3boYGNcuzWd2mA+Qg09tGp1IL7WMC/zO2mmjwcYHQ=; b=aoi7uLuWoVmORacjQPlOsrKHypzyxIZnqnjfwbUnoyKbd2eUxkyNt3ckP2hdheDoF0 seUfYHmIuI2IZE3ZTf6pilWCBMi8F3xispWFao26punz4AUIGS5XGUAXnU96btNg/IVM LV1eVGiHuVY6nhP5ctkO7qfmhXofsxc50E4jnGqKyyRJU9TJYxumNS0jch4V2eaqsB3O vBarXGttCxYLQXSS4cZqJBthlQZS/Ogrx+snip7dCKfJ0b8y/Eb4HmNmbpQgs1Ik5gi7 WVVzvxNgFoM5CZPL6fzRCsl74vW42VrS905fYRN/7WdjicRwcoOMpI/ncwFypnQKGaP2 /Mzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=nc3boYGNcuzWd2mA+Qg09tGp1IL7WMC/zO2mmjwcYHQ=; b=hADEdLQjezXi3CKjabztAGmIHio0cEzpazTtGbHlHxRDbkEK9TkwRdX+RCJy0NAb2g /Q6FrQLQgpmXoNvweHmF2ZEaDJw0xBh/706o5sbgAKKgMrFIUfyVAPXCfGgm6dfMb5Um hWxlGx3lq6imwYmpV5KKkrr2iyNuAPN9TZ3HmV38ToFbQPYyCxTqB+tNrGBVLyWiQERY 29gLlvq+usPwgdLYrvqlfpjPeuWB/9h5W3JAPKtf4J5aO2vkaFxZcPXbDabo3D7kdh/e 7Lkjsf0kg1BRbkGZBcwgU0kYn0zFeitpA84mX1CuxDClFmS2byNh+0WT0MLmISjLVVUy ERQQ==
X-Gm-Message-State: ABuFfoi8cS7RP6rjCaxtNUP/hNASWmjxlgG7hJjF+xqBx/HSUmfk19Ku 0Fp77YtpqdJsHTWnI8qIMK9ovt0Z
X-Google-Smtp-Source: ACcGV60PIzI10PhrnyakyrtCBWp8PpmTEJMKTJK4BO+iXi3Oq159nnZ1EJgFPLwpcsWMhs9rUtgxQQ==
X-Received: by 2002:a37:7a05:: with SMTP id v5-v6mr8422724qkc.129.1538144509305; Fri, 28 Sep 2018 07:21:49 -0700 (PDT)
Received: from iMac-Study.fios-router.home (pool-72-74-32-219.bstnma.fios.verizon.net. [72.74.32.219]) by smtp.gmail.com with ESMTPSA id o68-v6sm2697434qkf.9.2018.09.28.07.21.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Sep 2018 07:21:48 -0700 (PDT)
To: Benjamin Kaduk <kaduk@mit.edu>, Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: Trans <trans@ietf.org>
References: <071bd596-07ec-fe8a-861c-3ef181fec848@gmail.com> <CAErg=HEschK1K9UwS79uOPjgeCxVy4cEDHzhCQxpJrc3LxqNDQ@mail.gmail.com> <20180928022909.GG24695@kduck.kaduk.org>
From: Stephen Kent <stephentkent@gmail.com>
Message-ID: <abcf96f8-f7b9-267d-3517-e9dc40fae04a@gmail.com>
Date: Fri, 28 Sep 2018 10:21:47 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20180928022909.GG24695@kduck.kaduk.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/yrfY1ZGbSG__Ly8VOLaOfihVgUk>
Subject: Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2018 14:21:53 -0000
Ben, > ... > For what it's worth, I do not read 6962-bis as "very much being focused" on > CA-based logging. Consider, for example, certificate subjects submitting > certificates to logs, something that is done without CA involvement and can > be done in response to (e.g.) Logs being distrusted or browsers increasing > the required number of SCTs. It's unclear that CAs have as much incentive > as subjects to be responsive to changing events in this way. > > -Ben I agree that a diligent Subject can benefit from submitting its cert to a Log, to receive an SCT and, optionally an STH. When CT was initially proposed, the CA-submission approach was emphasized, because it was perceived as easier to "persuade" the relatively small number of CAs to submit pre-certs/certs, vs. the very large number of web sites. Also, since we have seen many web sites sending expired certs to browsers during TLS session establishment, one can question how diligent these website will be when dealing with the additional administrative burdens imposed by CT. But, for diligent website operators, Subject submission does offer benefits. Note that I made a number of changes to the text to address many of Ryan's latest set of comments, in a message posted a few minutes ago. Included in these changes is a revision of Figure 1 to show CA and Subject submission of certs to Logs. Steve
- [Trans] responses to Ryan's detailed comments on … Stephen Kent
- Re: [Trans] responses to Ryan's detailed comments… Ryan Sleevi
- Re: [Trans] responses to Ryan's detailed comments… Benjamin Kaduk
- Re: [Trans] responses to Ryan's detailed comments… Stephen Kent
- Re: [Trans] responses to Ryan's detailed comments… Stephen Kent
- Re: [Trans] responses to Ryan's detailed comments… Tim Hollebeek
- Re: [Trans] responses to Ryan's detailed comments… Ryan Sleevi
- Re: [Trans] responses to Ryan's detailed comments… Tim Hollebeek
- Re: [Trans] responses to Ryan's detailed comments… Ryan Sleevi