On 21/09/16 23:00, Ryan Sleevi wrote:
> On Wed, September 21, 2016 11:15 am, Melinda Shore wrote:
>>  On 9/21/16 5:23 AM, Tarah Wheeler wrote:
>>> Hi, I'm Tarah, and I'm new at Symantec. I'll be reviewing and responding
>>> to the CT redaction thread, and actively involved in proposals.
>>
>>  A few months ago Symantec had stated that they'll be publishing
>>  redacted labels - is that still the case?
> 
> Symantec has stood up an RFC 6962-like log that supports an earlier
> version of the redaction scheme, which reflects the thinking from 6962-bis
> Draft 14.

Symantec are still doing this today (e.g., https://crt.sh/?id=33742991
is a precertificate that was logged only a few hours ago).

The following report shows all of the "redacted precertificates" that
Symantec have issued, along with the corresponding certificates (where
known to CT):

https://crt.sh/reports/20160922_redacted-precertificates.html

> It is not trusted by any CT client widely deployed, because it does not
> implement RFC 6962 (which, as we know, does not support redaction).
> 
> Symantec has also had trouble, both with first-party and third-party
> integrations (such as Venafi), with logging redacted certificates,
> resulting in what might be described as 'over-redacted' certificates. That
> is, certificates which are redacted even though their domains are public
> and widely known, which is at conflict with Symantec's stated need for the
> use case of redaction.
> 
> This has been summarized at
> https://sslmate.com/blog/post/ct_redaction_in_chrome_53 for example, but
> reflects redaction occurring for widely used, publicly disclosed domain
> names - which seems at direct odds with the stated use cases.
> 
> Such previous explanations of Symantec's redaction policies can be found
> at
> http://www.symantec.com/connect/blogs/privacy-redaction-and-certificate-transparency
> and
> http://www.symantec.com/connect/blogs/balancing-certificate-transparency-and-privacy
> , however, the evidence since these posts indicate an inconsistency in the
> actual use case and policies.
> 
> This is perhaps a useful study into the utility, and the risk, of redaction.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
Trans mailing list
Trans@ietf.org
https://www.ietf.org/mailman/listinfo/trans

Reply via email to