On 10 September 2014 17:08, Stephen Kent <[email protected]> wrote: > Ben, > >> On 9 September 2014 18:39, Stephen Kent<[email protected]> wrote: >>> >>> I agree that the serial number is critical if one plans to revoke the >>> cert. >>> But , >>> the I-D makes no mention of remediation mechanisms, an omission I noted >>> in >>> my review >>> a while ago. >> >> It makes no mention because they are not in scope. The point of CT is >> to allow others to vet certificates and take appropriate action when >> needed. > > As I noted earlier, there is no threat model for the CT mechanism. > > And there is no mapping of CT to the threat model. > > We usually do not standardize security mechanisms when these two > critical elements are missing.
I think its pretty clear what the purpose of CT is - to make it possible to detect mis-issuance of certificates - i.e. that certificates conform to all the requirements for issuance. And its also clear that to do this, you need to be able to see the contents of the certificate. This is the threat model. Or, if you really want it phrased as a threat, the threat is that some CA might issue a certificate that does not conform to the requirements for issuance (which, btw, vary over time) and the mitigation is a public, append-only, verifiable log of the contents of all issued certificates. The I-D clearly states this already, I think, but if you don't like the text, perhaps you can propose something you'd like better? >> It is not up to us to describe all possible problems and how they are >> remedied. If you think that's a valuable exercise, be my guest. > > There is a big difference between "all" and "none." At least one problem is described: "Those who are concerned about misissue can monitor the logs, asking them regularly for all new entries, and can thus check whether domains they are responsible for have had certificates issued that they did not expect." I guess we could add some other examples, such as conformance to the Baseline Requirements. >> >> However, when you suggest that inclusion of some particular thing is >> problematic, then we can, of course, refer to potential problems CT >> might reveal and available remedies as an illustration of why that >> thing is needed. > > I don't know what this last, rather long sentence means. Please elaborate. What I meant was that mentioning a problem in order to explain why some field is needed does not mean that we then have to enumerate all problems, find a problem that justifies every field, etc. > > > Steve > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
