On Tue 2015-01-27 07:58:14 -0500, Rob Stradling wrote:
> On 27/01/15 10:51, Rob Stradling wrote:
>> On 21/01/15 18:49, Stephen Kent wrote:
>>> Rob,
>>
>> Hi Steve.
>>
>>>> That seems like a good idea. Did you have any particular DNS experts
>>>> in mind?
>>>
>>> I'd ask Joel Jaeggli <[email protected]> for suggestions.
>>
>> Thanks. I'll contact Joel.
>
> Actually, before I do that...
>
> We've already thought of two possible ways to express redacted label(s)
> in a Precertificate:
> 1. "(PRIVATE)." matching >=1 redacted labels.
> 2. "?." matching =1 redacted label.
>
> But it occurs to me that there's a third option:
> 3. "" matching >=0 redacted labels.
>
> Option 3 would hide the fact that redaction is even occurring. We
> wouldn't need to use "(PRIVATE)" or "?" or seek any alternative
> redaction label proposals from the DNS experts. :-)
>
> Would folks be happy with option 3?
The proposal is that "foo.example.com" could be registered with the CA
as "example.com" -- this seems problematic for operators of a sub-zone
who expect their parent zone to be fully-enumerated.
let's say the operator of example claims to be fully-publicly logged,
and lets me register dkg.example.net. i want to know that the .example.net
operators won't be able to masquerade as dkg.example.net without issuing a
certificate that i can find in the public logs, tied to my name.
If under proposal (2), i need to scan the logs for anything that ends in
dkg.example.net, or ?.example.net that i didn't request. if something like that
shows up, then i know something is fishy.
But the .example.net operators may have a legitimate reason for wanting to
issue a certificate for "example.net" -- now they have a way of
impersonating me that CT doesn't help me to detect.
I think option 3 defeats one of the main aims of CT.
--dkg
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
