A name constrained intermediate is functionally equivalent to a wildcard cert.
As it stands, any name-constrained intermediates should likely be subject to the same auditing and technical rigeur as the CAs infrastructure.
So no, I believe that not only are constrained sub-CAs not viable within the letter of the EVGs, but they are also strongly non-desirable within the spirit of them.
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To post to this group, send email to ct-p...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/9e0ddffb-6d23-4aa4-b1c7-df8b1da6df68%40chromium.org.
This was brought to my attention in the mozilla.dev.security.policy discussion forum, so I would like to add my 2 cents.
I understand why a customer would not want their "internal" domain (like billing.example.com) to be public.
But, on the other hand, I do not understand why they would need EV treatment for an internal site like that. For such an internal site, they already know who the O/OU is.
For DV, *.example.com is allowed, so allowing <PRIVATE>.example.com doesn’t add risk.
But wildcards are not allowed for EV, so I don’t think we should reduce our ability to use CT by allowing <PRIVATE>.example.com.
So, I agree with Ben’s proposal that <PRIVATE>.example.com is OK for DV, but not for EV.
Kathleen
Ben, thanks for doing this analysis. My conclusion is that private domain redaction does weaken CT-for-EV to some extent, but I wouldn't go as far as saying it defeats its purpose. (For example, you can still detect misissuances for <whatever>.google.com).
I wrote the current 6962-bis text for the private domain redaction mechanism because it solves the only major objection to CT that I was hearing from my colleagues at Comodo. I want to see CT succeed, and this mechanism seemed necessary to ensure that success.
If you don't implement private domain redaction for the initial EV/CT rollout, then I guess we'll have to give our EV cert customers the option to instruct us to _not_ generate a Precertificate and/or send their EV certs to the logs. We would have to make it clear to them that selecting this option means losing the EV indicator in Chrome.
Or, maybe we could thrash out a compromise...
Consider the approach CABForum has taken over the practice of issuing certs with internal server names:
1. Recognize that it's not best practice.
2. Accept the reality: it's widely deployed.
3. Don't kill it immediately, but instead declare a sunset date, so that affected cert holders can transition to using Internet domain names instead.
Or consider CABForum's approach to non-critical Name Constraints or phasing out SHA-1 certificate signatures: using critical Name Constraints today is a non-starter, forcing all certs to be signed using SHA-2 today is a non-starter. The solution? Move the dial a little away from Security and towards Useability, intending to move it back towards Security at a later date, when it becomes feasible to do so.
Or consider Google's approach to hard-fail online revocation checking in Chrome: Ignore BRs section 18.2, because the Useability of hard-fail sucks! Move the dial a little away from Security...
Anyway, my best-compromise-I-can-think-of proposal...
1. Accept the reality that private domain names are widely deployed.
2. Implement the private domain redaction mechanism in the initial rollout of CT/EV in Chrome (and leave it in 6962-bis).
3. Set a sunset date N years in the future, after which Chrome will no longer support the private domain redaction mechanism.
What do you think?
Yes. I presume you're aware that Microsoft intends to "Re-examine the impact of this Policy at mid-term" [1] and that CABForum hasn't set a SHA-1 sunset date yet.
Chrome 39 is indeed "very soon" (1.5 months from now? [2]) to be doing this! To repeat: CABForum hasn't set a sunset date yet, Microsoft intend to review the impact of their plans, and Microsoft haven't announced any plans to treat SHA-1 certs with notAfter dates exceeding the "sunset" date as mixed-content.
I would love to see the back of SHA-1, but with your aggressive timescale I think you are going to catch most CAs and most of their customers by surprise!
[1] http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
[2] http://www.chromium.org/developers/calendar
<snip>OK, that's good to hear. Ben seemed to imply that name redaction for DV was losing favour too.
I think we're absolutely committed to exploring name redactions,
particularly for DV certificates, where they're indistinguishable from
wildcard certs or name constraints, but I think our transition to CT
for EV serves as the effective sunset period for these sorts of certs.
On Wed, Aug 13, 2014 at 12:46:43PM -0700, Kathleen Wilson wrote:Hmm... what if I'm an attacker in your network, and I want to MitM your
> I understand why a customer would not want their "internal" domain (like
> billing.example.com) to be public.
>
> But, on the other hand, I do not understand why they would need EV
> treatment for an internal site like that. For such an internal site, they
> already know who the O/OU is.
billing site? If I can use a fraudulently-obtained DV cert to do that, so
much the better than having to get an EV cert.
Also, consider the glorious future where CT is universally deployed, and
every cert needs SCTs to get past the "OMG! UNTRUSTED CERT!" scare page...
Sure, but I'm not going to hand everyone in my org the ability to pwn up the
rest of my org by giving every internal service a cert for `*.example.com`
-- one key gets stolen from one server and *everything* is suddenly MitM'd.
No, I'm going to get individual certs for individual services, thank you
very much.
- Matt
(removes hypothetical enterprise security weenie hat)
Extended Validation certificates are issued only to organizations that successfully pass a standardized rigorous authentication process. The idea that this is valuable only for externally facing sites and applications is flawed. We're the largest EV issuer in the world and we have 30-40% of our EV Certs issued for internal domains (based on our scans of our EV customers) and we have many customers who, as a policy, insist that any SSL certificate they use for any purpose is issued only after meeting the EV authentication standards.
Separately but related, the intent of CT was originally described as creating a model to enable customers to detect mis-issuance. That objective can be met without any certificate details other than the first-level domain name(s), serial number and issuer name. The discussion has now evolved to somehow use CT to determine whether or not certs have been issued following the CABF guidelines. That can be accomplished in lots of ways including third party process audits (which we do), crawling for SSL Certs (which Netcraft does), and browser-based certificate policies (which each of the browsers do).
Extended Validation certificates are issued only to organizations that successfully pass a standardized rigorous authentication process. The idea that this is valuable only for externally facing sites and applications is flawed. We're the largest EV issuer in the world and we have 30-40% of our EV Certs issued for internal domains (based on our scans of our EV customers) and we have many customers who, as a policy, insist that any SSL certificate they use for any purpose is issued only after meeting the EV authentication standards.
Separately but related, the intent of CT was originally described as creating a model to enable customers to detect mis-issuance.
That objective can be met without any certificate details other than the first-level domain name(s), serial number and issuer name. The discussion has now evolved to somehow use CT to determine whether or not certs have been issued following the CABF guidelines. That can be accomplished in lots of ways including third party process audits (which we do), crawling for SSL Certs (which Netcraft does), and browser-based certificate policies (which each of the browsers do).
It seems that the private option is now tied up in this latter evolving objective. We recognize that audits are not perfect, but with the privacy option, every aspect of cert issuance (except for second- and higher-level domain names) can be publicly audited in CT. Furthermore, we value our customers’ privacy and believe that they should be given the choice to decide if their second- and higher-level domain names need to be kept private.
In the wake of Snowden, the world has focused on privacy.
We feel it’s imperative to preserve privacy for those customers who value it, and we believe that nearly all of CT’s promise can be realized even with the private option. It’s a good compromise.
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To post to this group, send email to ct-p...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/9db378b5-c231-4c71-8340-57b9164daf88%40chromium.org.
Thanks Ryan, Sig and Ben. But has anyone spoken to customers to get their viewpoint? You may recall a discussion a while back in the CABF about sun-setting of internal names. Everyone wanted to take quick action until a customer survey was produced which showed valid reasons why customers were using internal names (mostly following vendor instructions). Following that, a terrific white paper was written instructing them how to avoid those names and an appropriate sunset period was reached which satisfied all constituents (more or less).
Here it seems that a grand technical solution is being reached without sufficient end user (customer) feedback. Sure, there may be some high profile users that have provided some input but I haven't seen a broad survey to determine impacts. I said in my earlier message that Symantec, as the largest EV issuer, found some 30-40% of customers were using these internally but that statistic appears to be ignored or brushed aside. Sure they could switch to OV but that would only be a temporary fix as Google has announced plans to expand CT to OV and DV certs. I'd be willing to conduct such a survey if I knew the results would be taken seriously, resulting in meaningful action.
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To post to this group, send email to ct-p...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/9894814c-c997-4c9d-a2cb-8231cbd58c59%40chromium.org.
On Aug 20, 2014 5:08 PM, "Dean Coclin" <dean...@gmail.com> wrote:
>
> There were never any "assurances" made to EV cert customers about the privacy of their data. I'm sure this is the case for other CAs as well. CT didn't exist when these certs were sold. But consider the scenario of a website owner requesting an EV cert (pre-CT) for an application behind the firewall. Since no one else can see this cert, other than corporate users, is it unreasonable to expect that they might think the cert data would be private?
Yes.
>
> I think Symantec and Google actually agree on a lot here with respect to the goals of CT. To the extent though that full disclosure is going to be required for website owners then our belief is a longer transition period is needed to avoid disclosing possibly private names.
Your concern has been duly noted. Full disclosure is only required for sites that wish to receive EV badging. As EV badging is not necessary for a secured connection, a graceful fallback already exists.
That is, there is inherently no risk of disclosing private names for certificates that are not logged, and certificates only need to be logged for EV.
For CAs - or their customers - who choose not to log, they will no longer receive EV badging.
There is no need to hold back Internet security in order to convince these certificate holders - or their issuing CAs - that any publicly trusted CA is responsible for operating in the public trust, and that part of that public trust is that the CA is required to operate honestly and transparently and held accountable for mistakes.
> Once customers understand it, I’m confident they’ll make sure that they put no private info in their second- and higher-level domain names. That said, requiring disclosure by January would be without precedent in terms of a transition period for these kind of mandates.
>
The Internet moves quickly.
That said, there is a graceful fallback path, and browsers have never been obligated to guarantee that they treat a particular certificate as EV. We have seen this revoked in the past for specific incidents, such as that of TurkTrust, and we see it happening now across the board for CT.
> So if name redaction won’t be supported for EV certs, we support Rob Stradling’s suggestion of a sunset date to allow customers to phase out certs with private names before they’re publicly disclosed.
This sunset is already built into the plan. It's called "treated as DV". This is a sufficient balance between the risks to users and the Internet from a CA failing to meet program requirements and the needs of existing certificate holders.
It is up to the CA - or, if the CA is unwilling to act, the certificate holder - to determine which factor is more important for their individual needs, but for the collective Internet and Chromium user community, it is unquestionable that the audit needs are far more valuable and necessary.
> --
> You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
> To post to this group, send email to ct-p...@chromium.org.
> To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/dbe16acd-c8e2-405e-a0d0-054c8418bc24%40chromium.org.
As I understand it, CAs who choose to participate in CT will have all EV certs issued on or before Dec. 31, 2014 “whitelisted” by Chrome, and so treated as EV (green bar) through their expiration date without ever being logged in a CT log.
Is that still correct?
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/CACvaWvYZaQs%3DBz%3Do%2BjV7%2BwKEXGUcfpgJ_sT4UyiGGcZmR%2BXvkA%40mail.gmail.com.
|
As I understand it, CAs who choose to participate in CT will have all EV certs issued on or before Dec. 31, 2014 “whitelisted” by Chrome, and so treated as EV (green bar) through their expiration date without ever being logged in a CT log.
Is that still correct?