Brad,
Stephen,
Below was your original question, which I've attempted to answer in as
straightforward a manner as possible, including illustrative examples from
recent history. Detecting mis-issuance of certificates through public logging
of such is the stated goal of the I-D.
The I-D fails to describe what constitutes mis-issuance. there appears
to be many examples
where Web PKI CAs issue certs that do not comply with RFC 5280 (see the
WPKOPS WG).
Are those certs mis-issued? Or, are certs that are syntactically valid,
maybe even
5280-compliant, but issued to the "wrong" subject mis-issued? or, ...
The I-D needs to be more precise in defining. Logging, per se, permits
folks who monitor
logs to detect mis-issuance, but does not solve the problems caused by
mis-issuance. If detection were sufficient, then there would be no need
for TLS clients to reject certs w/o
SCTs (as mandated by the current I-D). I'm guessing that there is a
notion of how the various elements of CT work together to address the
problems that result from mis-issuance, but the
I-D fails to articulate this notion. That's a serious omission.
The complex nature of X.509/PKIX and the surrounding technology ecosystem and
the history of vulnerabilities in such demonstrates that including everything
in the log except that which MUST be excluded furthers that goal. There is not
a specific threat model nor any need to articulate one.
For several years it has been common practice to require a threat model
for new security efforts in the IETF. Why do uyou believe that TRANS
should be an exception?
We desire a technology that is useful against as many threats to the broad
certificate ecosystem as possible, including those yet to be formally
anticipated.
The scope here is essentially the Web PKI used with TLS, primarily as
used by in browsers;
it is not all possible uses of certs with IETF security protocols. So
the "broad certificate ecosystem" is not universal, right?
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
