Last Call Review of draft-ietf-trans-rfc6962-bis-39
review-ietf-trans-rfc6962-bis-39-secdir-lc-kaufman-2021-07-08-00

Request Review of draft-ietf-trans-rfc6962-bis
Requested revision No specific revision (document currently at 42)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2021-06-18
Requested 2021-06-04
Authors Ben Laurie , Adam Langley , Emilia Kasper , Eran Messeri , Rob Stradling
I-D last updated 2021-07-08
Completed reviews Genart Last Call review of -31 by Joel M. Halpern (diff)
Tsvart Last Call review of -31 by Jana Iyengar (diff)
Secdir Telechat review of -31 by Charlie Kaufman (diff)
Secdir Last Call review of -39 by Charlie Kaufman (diff)
Assignment Reviewer Charlie Kaufman
State Completed
Request Last Call review on draft-ietf-trans-rfc6962-bis by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/UkBHCgs6Y2hBwDprkd26x4y6i7s
Reviewed revision 39 (document currently at 42)
Result Has issues
Completed 2021-07-03
review-ietf-trans-rfc6962-bis-39-secdir-lc-kaufman-2021-07-08-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

I reviewed -31 two years ago, found no problems with it then, and examining the
diffs find no problems with those either.

This is an interesting proposal for testing the validity of certificates in the
Internet PKI (in addition to CRLs, OCSP, some DNS extension, and perhaps some
others I'm forgetting), and it has functionality that overlaps with those.
**PEOPLE INTERESTED IN TECHNICAL APPROACHES TO IMPROVING THE SECURITY OF THE
INTERNET PKI SHOULD TAKE A LOOK AT THIS APPROACH WHETHER OR NOT THIS PARTICULAR
PROPOSAL SUCCEEDS**.

It is a little odd that this is classed as experimental given that it appears
to be deployed in Chrome and has enough history and evolution to be issuing a
-bis.

The goal of this protocol is to prevent someone who captures the private key of
a Certification Authority from issuing certificates for occasional use without
the knowledge of the CA. It does this by registering all observed certificates
in a log, encouraging clients to reject certificates not found in the log, and
encouraging CAs to check the log for certificates signed with its key that were
not signed through its authorized procedures.

The proposal specifies the actions of a partially trusted logging service that
will take certificates as they are issued, sign an acknowledgement that can
optionally be placed in the certificate itself or in the TLS headers during
session initialization. The certificates are then placed in a Merkle hash tree
and signed. This both reduces the signing work the log server has to do and
allows it to prove that it has not removed any certificates from its database
once they are posted there.

The protocol could be adapted for other logs that someone might want to audit
for completeness and for following a policy of strictly-appending.

An interesting question that I did not see addressed in the I-D concerns
whether the list of all issued certificates is made world-readable. The system
assumes that the owners of particular domain names can watch for the issuance
of bogus certificates for names they own, but many issuers do not want to make
public the complete list of certificates they have issued for the same reason
they would not want to release a complete list of DNS names they are using
below their arc. DNS allows verification of guessed names but not enumeration
of all names (at least optionally). Doing the same with this system would lose
some of its security benefits, but not doing it would make it unacceptable to
some issuers. This issue was discussed by the working group, but the security
community might also want to comment.

        --Charlie