Certificate Transparency: Domain Label Redaction
draft-strad-trans-redaction-00

The information below is for an old version of the document
Document Type Active Internet-Draft (individual)
Last updated 2016-08-31
Stream (None)
Intended RFC status (None)
Formats pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
TRANS (Public Notary Transparency)                          R. Stradling
Internet-Draft                                           Comodo CA, Ltd.
Intended status: Experimental                                 E. Messeri
Expires: March 4, 2017                                    Google UK Ltd.
                                                         August 31, 2016

            Certificate Transparency: Domain Label Redaction
                     draft-strad-trans-redaction-00

Abstract

   We define a mechanism to allow DNS domain name labels that are
   considered to be private to not appear in public Certificate
   Transparency (CT) logs, while still retaining most of the security
   benefits that accrue from using Certificate Transparency mechanisms.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 4, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Stradling & Messeri       Expires March 4, 2017                 [Page 1]
Internet-Draft          CT Domain Label Redaction            August 2016

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  Redacting Labels in Precertificates . . . . . . . . . . . . .   3
   4.  redactedSubjectAltName Certificate Extension  . . . . . . . .   4
   5.  Verifying the redactedSubjectAltName extension  . . . . . . .   4
   6.  Reconstructing the TBSCertificate . . . . . . . . . . . . . .   5
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
     7.1.  Avoiding Overly Redacting Domain Name Labels  . . . . . .   5
   8.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   6
     8.1.  Ensuring Effective Redaction  . . . . . . . . . . . . . .   6
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     10.1.  Normative References . . . . . . . . . . . . . . . . . .   6
     10.2.  Informative References . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   Some domain owners regard certain DNS domain name labels within their
   registered domain space as private and security sensitive.  Even
   though these domains are often only accessible within the domain
   owner's private network, it's common for them to be secured using
   publicly trusted Transport Layer Security (TLS) server certificates.

   Certificate Transparency [I-D.ietf-trans-rfc6962-bis] describes a
   protocol for publicly logging the existence of TLS server
   certificates as they are issued or observed.  Since each TLS server
   certificate lists the domain names that it is intended to secure,
   private domain name labels within registered domain space could end
   up appearing in CT logs, especially as TLS clients develop policies
   that mandate CT compliance.  This seems like an unfortunate and
   potentially unnecessary privacy leak, because it's the registered
   domain names in each certificate that are of primary interest when
   using CT to look for suspect certificates.

   TODO: Highlight better the differences between registered domains and
   subdomains, referencing the relevant DNS RFCs.

   Section TBD of [I-D.ietf-trans-rfc6962-bis] proposes two mechanisms
   for dealing with this conundrum: wildcard certificates and name-
   constrained intermediate CAs.  However, these mechanisms are
   insufficient to cover all use cases.

   TODO(eranm): Expand on when each of the other mechanisms is suitable
   and when this mechanism may be suitable.

Stradling & Messeri       Expires March 4, 2017                 [Page 2]
Show full document text