Hi everybody,
Context We are working on STAR [1], an ACME extension to allow a name owner to obtain a string of short-lived certificates that are automatically renewed by the issuing CA. Using STAR, the name owner controls the lifetime of the renewal process, which can continue for as long as initially agreed, or prematurely come to a halt due to, e.g., a key compromise. STAR removes the dependency on the revocation infrastructure, while at the same time automating (and minimizing) the interaction of the certificate owner with her RA/CA. So far so good. STAR + CT Obviously, we’d want STAR to work well with Certificate Transparency. However, it looks like this might not be as easy as we want it to be because of the increase of the ingestion rate and consequent implications on log structure, implementation, rotation, monitoring, etc. What we were thinking, though – and this is where we’d need your help, since none of us is a CT expert – is that a STAR certificate, except in the degenerate case where users requests a very low number of renewals, can be thought of as a single “usual” certificate that is made of a collection of same short-lived certificates that differ only for their (sliding) validity windows. If so, it seems (at least theoretically) possible to treat all of them as a single entity from a CT log perspective? A fall back: the “Certificate Transparency with Privacy” proposal In case the above hypothesis doesn’t hold true: A few weeks ago, we got in touch with Eran because of his recent PETS paper in which he sketches a mechanism for dealing with short-lived certs in the context of CT (section 4 of [2]). Unfortunately, he told us that he wasn’t working on CT anymore and therefore he would not progress those ideas further. Would any of you be interested in taking over from him and maybe bring it to standardization? Cheers, thanks very much, [1] https://datatracker.ietf.org/doc/draft-ietf-acme-star/ [2] https://petsymposium.org/2017/papers/issue4/paper69-2017-4-source.pdf PS: At least two of us will be in Singapore: if any of you would like to have a f2f discussion, we’d be more than happy to.
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
