My comment is correct for the situation as it largely exists today.
That it might be different in the future is a fair point. -Tim From: Ryan Sleevi <[email protected]> Sent: Friday, September 28, 2018 9:04 AM To: Tim Hollebeek <[email protected]> Cc: Ben Kaduk <[email protected]>; Ryan Sleevi <[email protected]>; Trans <[email protected]>; [email protected] Subject: Re: [Trans] responses to Ryan's detailed comments on draft-ietf-trans-threat-analysis-15 On Fri, Sep 28, 2018 at 10:37 AM Tim Hollebeek <[email protected] <mailto:[email protected]> > wrote: > For what it's worth, I do not read 6962-bis as "very much being focused" on > CA-based logging. Consider, for example, certificate subjects submitting > certificates to logs, something that is done without CA involvement and can be > done in response to (e.g.) Logs being distrusted or browsers increasing the > required number of SCTs. It's unclear that CAs have as much incentive as > subjects to be responsive to changing events in this way. SCTs have to be included in the certificate so logging by third parties does not help with that problem. This is not correct. Conforming clients MUST support all three methods of delivery of SCTs. No policy or statement in 6962-bis requires that SCTs "have to be included in the certificate". Perhaps you're conflating the requirement with SCTs for precertificates, which has been substantially overhauled in 6962-bis in light of the concerns around precertificates? I'm not sure where this view that the dominant form is or should be CA initiated logging, or that the intent of 6962-bis is to only countenance that scenario. Over the past 28 days, 46% of the SCTs Chrome has observed have come from the TLS extension, and 53% of them embedded within certificates. 0.01% have come from OCSP responses. This latter number is no doubt driven by at least three CAs who have a largely homogenous user base (of government and public sector users) running on Microsoft-based services, that they were confident enough that they only needed to support OCSP embedding for their subscribers. Any threat model design needs to consider 6962-bis as specified, which is to consider that these different approaches are all equally valid.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
