On Oct 17, 2012, at 8:23 AM, Phillip Hallam-Baker <[email protected]> wrote:
> One draft that might be relevant here is my TLS security policy draft which I > will update later today and the OCSP 'Does not exist' response proposal which > I don't think made it to a draft. > > http://tools.ietf.org/html/draft-hallambaker-tlssecuritypolicy-01 The BoF description is: This non-WG forming BoF will discuss plans to specify mechanisms and techniques that allow Internet applications to monitor and verify the issuance of public X.509 certificates such that all issued certificates are available to applications, and each certificate seen by an application can be efficiently shown to be in the log of issued certificates. Furthermore, it should be possible to cryptographically verify the correct operation of the log. The draft says it is an extension to PKIX certs "to prevent downgrade attacks that are not otherwise prevented by the TLS protocol". > The relevance of TLS security policy is that it is a slightly more general > version of the proposed 'OCSP Must staple' certificate extension. The idea is > that a server puts this extension in a CSR when requesting a certificate and > this is then included in the certificate produced. . . . The draft is focused on current use of OCSP and TLS. That seems possibly relevant for the PKIX or TLS WGs, but not here. > The interest in a 'does not exist' response in OCSP is that it allows CAs to > deploy a weak form of transparency almost immediately. By weak transparency I > mean that a third party can audit the behavior of the CA from public data > alone but the requirements of this audit make it unsuitable for incorporation > into a client. New work on weak transparency through OCSP would be relevant to this BoF, but probably not that useful unless we believed that the PKIX WG would actually allow those changes to OCSP. > I would also like to suggest that as an interim step we define a simple JSON > format that CAs would use to report the list of all certificates issued in > the past hour. This is again a form of weak transparency but I think having > that data will make it a lot easier to get to a workable system. The idea of > publishing certs is pretty straightforward, the idea of analyzing the > published certs is pretty straightforward. Both deliver a significant value > that can be realized in a 12 month timeframe. I recognize that you don't have an Internet Draft on that specific topic, but if you could put together a short presentation on it, it would be useful for the BoF. --Paul Hoffman _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
