On Wed, 22 Mar 2017 19:31:43 +0000
Tarah Wheeler <[email protected]> wrote:
> Peter Bowen and I have been collaborating on a possible solution for
> certificate privacy. Thoughts?
Hi Tarah and Peter,
Your proposal is very similar to the original redaction mechanism
that existed in draft-ietf-trans-rfc6962-bis-16, the main differences
being your proposal also supports IP address redaction and solves the
multiple-certs-per-precert problem.
Like the original redaction mechanism, your proposal imposes a high
complexity cost on TLS clients by forcing them to do a lot of decoding
and re-encoding of a certificate in order to reconstruct the
pre-certificate. This problem was discussed here:
https://mailarchive.ietf.org/arch/msg/trans/WU_XveDh0GmyyiQbmqEr1SVuC84
https://mailarchive.ietf.org/arch/msg/trans/eOHPqmAskBXMrGzSJAFzT9dzwOQ
It led to the solution in draft-ietf-trans-rfc6962-bis-17 (now in
draft-strad-trans-redaction-00), described here:
https://mailarchive.ietf.org/arch/msg/trans/gGWZhqCXG0wlkktB_d0a2fPM4VU
I think that any new redaction proposal should address the problem of
client complexity at least as well as draft-strad-trans-redaction-00
does.
Regards,
Andrew
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
