Re: [wpkops] draft-housley-web-pki-problems-00

Jeremy Rowley <jeremy.rowley@digicert.com> Thu, 09 July 2015 03:05 UTC

Return-Path: <jeremy.rowley@digicert.com>
X-Original-To: wpkops@ietfa.amsl.com
Delivered-To: wpkops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF2341A8A49 for <wpkops@ietfa.amsl.com>; Wed, 8 Jul 2015 20:05:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ex7hEwfXdxgO for <wpkops@ietfa.amsl.com>; Wed, 8 Jul 2015 20:05:57 -0700 (PDT)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9331C1A8A46 for <wpkops@ietf.org>; Wed, 8 Jul 2015 20:05:57 -0700 (PDT)
From: Jeremy Rowley <jeremy.rowley@digicert.com>
To: Ralph Holz <ralph.ietf@gmail.com>
Thread-Topic: [wpkops] draft-housley-web-pki-problems-00
Thread-Index: AQHQuMVQY4sV5YvCFk+fNcTud623Ip3QYTgAgAJibQD//7DIcA==
Date: Thu, 9 Jul 2015 03:05:55 +0000
Message-ID: <3dcffcf4bf7441c897115a2002a502cd@EX2.corp.digicert.com>
References: <28D7CC3C-E21C-4D01-8F13-F2D661D82D71@vigilsec.com> <8d66da4eb5d24bb89f8d6b934640ea61@EX2.corp.digicert.com> <CA+K9O5QgGKtNxGLkOKwPsgL9CJBA-N+6v3wPWw+f_qQYcsJW-w@mail.gmail.com>
In-Reply-To: <CA+K9O5QgGKtNxGLkOKwPsgL9CJBA-N+6v3wPWw+f_qQYcsJW-w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [63.158.87.14]
Content-Type: multipart/alternative; boundary="_000_3dcffcf4bf7441c897115a2002a502cdEX2corpdigicertcom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/wpkops/hBMgHH-tKNd3eucdquqhnQKvP78>
Cc: "wpkops@ietf.org" <wpkops@ietf.org>, Russ Housley <housley@vigilsec.com>
Subject: Re: [wpkops] draft-housley-web-pki-problems-00
X-BeenThere: wpkops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <wpkops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wpkops>, <mailto:wpkops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wpkops/>
List-Post: <mailto:wpkops@ietf.org>
List-Help: <mailto:wpkops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wpkops>, <mailto:wpkops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 03:06:00 -0000

I’m not sure this is detailing short-comings in technology. Instead, the draft is really pointing to issues in implementation?  For example, revocation checking exists. Some browsers choose not to use it in the traditional sense for various well-documented reasons. Should the RFC detail why the user agents are not implementing instead of saying it’s not snappy enough? Same with “too big to fail”. Instead of saying that it’s an issue, the draft should say there’s a difficulty in enforcing requirements against root store operators because their decision tends to be binary (either trust or not trust). Although, as Gerv pointed out, Mozilla has shown there are non-binary alternatives.


From: Ralph Holz [mailto:ralph.ietf@gmail.com]
Sent: Wednesday, July 8, 2015 7:41 PM
To: Jeremy Rowley
Cc: Russ Housley; wpkops@ietf.org
Subject: Re: [wpkops] draft-housley-web-pki-problems-00

Informational RFCs that detail shortcomings of technology exist - see, e.g., the work done in the UTA WG (disclaimer: I am an co-author of one such RFC).

Calling for specific mechanisms or forums is indeed odd. I'd suggest to rather go for a list of pointers instead.

Ralph

On 8 July 2015 at 05:36, Jeremy Rowley <jeremy.rowley@digicert.com<mailto:jeremy.rowley@digicert.com>> wrote:
This paper sounds like a wish list of select issues taken from the Mozilla forums.  I don't see why it would be published as informational RFC? Is the goal to make a list of issues that community members feel need to be discussed? I don't get it.

The conclusions seem to be 1) Have a CAB Forum that is more transparent (which is out of scope of the IEFT - I'm not sure I've ever seen an IETF paper specifically call out to another industry body requesting a change in its membership?) and 2) Use Let's Encrypt - one specific member of the CA community.  Many CAs already offer free tools to automate issuance, making the call out to Let's Encrypt very odd in an IETF document, especially where the touted feature - new automated tools - already exist (https://www.digicert.com/express-install/).  I have a similar complaint about the reference to acme where PHB has been proposing something similar for a LONG time (https://tools.ietf.org/html/draft-hallambaker-omnibroker-06).

I'm also not sure why you selected the specific issues for inclusion in the paper. For example, the paper doesn't mention inconsistencies in validation levels, which (imo) is a bigger issue than the "too big to fail" scenario. Cost also is a weird issue to include in the document since it's always relative.  It's also very difficult to discuss without running afoul of anti-trust laws.

Jeremy

-----Original Message-----
From: wpkops [mailto:wpkops-bounces@ietf.org<mailto:wpkops-bounces@ietf.org>] On Behalf Of Russ Housley
Sent: Tuesday, July 7, 2015 8:57 AM
To: wpkops@ietf.org<mailto:wpkops@ietf.org>
Subject: [wpkops] draft-housley-web-pki-problems-00

I want to make people on this list aware of this draft that was posted yesterday.

Stephen Farrell suggested that this list might be a good place to discuss it.

Russ

_______________________________________________
wpkops mailing list
wpkops@ietf.org<mailto:wpkops@ietf.org>
https://www.ietf.org/mailman/listinfo/wpkops

_______________________________________________
wpkops mailing list
wpkops@ietf.org<mailto:wpkops@ietf.org>
https://www.ietf.org/mailman/listinfo/wpkops