On 14/01/15 20:09, Stephen Kent wrote:
Rob,
You made several good points that address the concerns I raised.
Thanks Steve. :-)
If the pre-cert format is NOT a cert (or a TBScertificate),
then the syntax specified in 5280 and its predecessors (and X.509)
don't strictly apply. I forgot, what is the source of the CMS object
format we decided upon.
The new precert format will be documented in the -05 version of the
6962-bis I-D (which we intend to publish real soon now). For a preview
of the text, look here...
https://github.com/google/certificate-transparency-rfcs/blob/master/rfc6962-bis.xml#L332
It's not (just) a TBSCertificate, but it does incorporate a
TBSCertificate (wrapped inside a CMS signed-data object).
I also checked with one of the authors of 2459 and he agreed that we
always thought in terms of "*" as _the_ wildcard character, but that
since we didn't say so explicitly, there is no basis for rejecting
"?" or another character. I do suggest that the WG coordinate with some
DNS experts to see what they think about our use of non-DNS characters
in what is a DNS name pattern matching context, and whether they have a
preference for any specific character.
That seems like a good idea. Did you have any particular DNS experts in
mind?
The distinction that you made between the semantics of "*" and the
intended semantics for "PRIVATE" was one I had not realized.
Specifically, you noted that "*" matches any labal whereas "?" is
intended to match only one (redacted) label.
That seems like a good reason to us a different character, but it also
raises the question of how a Monitor or TLS client is supposed to
enforce this requirement. Do you envision these clients remembering
every cert that they encounter that matches a redacted pre-cert, and
check to see if a CA has issue two certs with different values for a
redacted DNS label?
No, I wasn't envisaging that Monitors and/or TLS clients would
necessarily do that.
if not, why state this as a requirement?
I don't think the current text does state this as a requirement.
If there are multiple certs (which may or may not contain different
unredacted domain label(s)) that match one redacted precert, then those
certs will all share the same Serial Number and be issued by the same CA.
RFC5280 already disallows this, so 6962-bis doesn't also need to
disallow it. :-)
Hmmm...
Should we specify that the redaction label (i.e. "(PRIVATE)" or "?" or
whatever the DNS experts prefer) MUST NOT match "*" in the cert?
I can't think of a legitimate reason to hide wildcard certs from the log.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
