#23: How can TLS clients match an SCT to a certificate?
Comment (by [email protected]): Also discussed with Eran just now: In comment:1 I suggested that it might be useful to define an !ItemExtension for gossip (i.e. "This SCT (or SCT inclusion proof) isn't relevant to any of the certificates you're currently interested in, but nonetheless please keep a copy of it and send it to some other TLS servers you communicate with.") However, we could define a different mechanism for signalling this: two ideas... - Define a new range of !TransType values that mirror the existing set. The log would produce SCTs, inclusion proofs, etc, using the existing set of !TransType values; the TLS server would modify the !TransType of an object it's gossiping; then the (gossip-supporting) TLS client would spot that this object is being gossiped, then restore the original !TransType if it wants to verify the !TransItem's signature. (Clients that don't support gossip via this mechanism would simply ignore the !TransItem objects with !TransType values they don't recognize). - As per comment:6, an additional !TransItem could be added by the TLS server (using a not-yet-defined !TransType value) that contains additional metadata about other !TransItems in the list. One drawback of this approach is that if the TLS client doesn't recognize this not-yet-defined !TransType value, it would try to verify the gossiped SCTs / inclusion proofs against the TLS server's certificate/chain. The second of these approaches would need to be documented in 6962-bis to ensure that the described drawback does not occur. The first of these approaches could be implemented entirely in the gossip draft. 6962-bis need not know anything about it. -- ------------------------------+--------------------------------------- Reporter: [email protected] | Owner: [email protected] Type: defect | Status: new Priority: major | Milestone: Component: rfc6962-bis | Version: Severity: - | Resolution: Keywords: | ------------------------------+--------------------------------------- Ticket URL: <https://trac.tools.ietf.org/wg/trans/trac/ticket/23#comment:7> trans <https://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
