[prev in list] [next in list] [prev in thread] [next in thread]
List: ietf-tls
Subject: Re: [TLS] [EXTERNAL] Re: [lamps] Q: Creating CSR for encryption-only cert?
From: Mike Ounsworth <Mike.Ounsworth=40entrust.com () dmarc ! ietf ! org>
Date: 2022-10-06 16:04:49
Message-ID: CH0PR11MB57394663192A02AD5D52174C9F5C9 () CH0PR11MB5739 ! namprd11 ! prod ! outlook ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
> Precertificates, the same "base" TBSCertificate as the final cert + Poison \
> extension, is signed by the CA
Right. Same end result though: you can not use the CT precertificate to satisfy an \
indirect encryption PoP challenge where the final certificate is the challenge text.
---
Mike Ounsworth
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Thom Wiggers
Sent: October 6, 2022 9:06 AM
To: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>
Cc: von Oheimb, David <david.von.oheimb@siemens.com>; uri@ll.mit.edu; \
openssl-users@openssl.org; morganjim@dataio.com; spasm@ietf.org; \
tls@ietf.org
Subject: [EXTERNAL] Re: [lamps] [TLS] Q: Creating CSR for encryption-only cert?
WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is \
safe. ________________________________
Hi Tomas, all,
Good discussion today, I'm learning some new things :D
Op do 6 okt. 2022 om 13:37 schreef Tomas Gustavsson \
<Tomas.Gustavsson@keyfactor.com<mailto:Tomas.Gustavsson@keyfactor.com>>: For CT logs \
as in 'CT used for public web sites' there is no possibility to delay submitting.
Ah, of course it does. I must've been low on coffee when I forgot that the SCT is \
obviously computed through submission to a log, rather than over a promise to submit.
I suppose that pretty much rules out the "implicit" challenge-is-encrypted-cert \
method described in CMRF/CMP for web certificates then. Otherwise one might spam CT \
logs?
Cheers and thanks,
Thom
Any email and files/attachments transmitted with it are confidential and are intended \
solely for the use of the individual or entity to whom they are addressed. If this \
message has been sent to you in error, you must not copy, distribute or disclose of \
the information it contains. Please notify Entrust immediately and delete the message \
from your system.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#7030A0;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#7030A0">> </span><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Precertificates, \
the same "base" TBSCertificate as the final cert + Poison extension, is \
signed by the CA<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Right. \
Same end result though: you can not use the CT precertificate to satisfy an indirect \
encryption PoP challenge where the final certificate is the challenge \
text.</span><span style="color:#7030A0"><o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#7030A0"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#7030A0">---<o:p></o:p></span></p> <p \
class="MsoNormal"><b><span \
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#7030A0">Mike</span></b><span \
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#7030A0"> \
Ounsworth</span><span style="color:#7030A0"><o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#7030A0"><o:p> </o:p></span></p> <div \
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm"> <p \
class="MsoNormal"><b>From:</b> Spasm <spasm-bounces@ietf.org> <b>On Behalf Of \
</b> Thom Wiggers<br>
<b>Sent:</b> October 6, 2022 9:06 AM<br>
<b>To:</b> Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com><br>
<b>Cc:</b> von Oheimb, David <david.von.oheimb@siemens.com>; uri@ll.mit.edu; \
openssl-users@openssl.org; morganjim@dataio.com; spasm@ietf.org; tls@ietf.org<br> \
<b>Subject:</b> [EXTERNAL] Re: [lamps] [TLS] Q: Creating CSR for encryption-only \
cert?<o:p></o:p></p> </div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is \
safe.<o:p></o:p></p> <div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<div>
<div>
<p class="MsoNormal">Hi Tomas, all,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Good discussion today, I'm learning some new things \
:D<o:p></o:p></p> </div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Op do 6 okt. 2022 om 13:37 schreef Tomas Gustavsson <<a \
href="mailto:Tomas.Gustavsson@keyfactor.com">Tomas.Gustavsson@keyfactor.com</a>>:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm \
6.0pt;margin-left:4.8pt;margin-right:0cm"> <div>
<div>
<div>
<p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">For CT \
logs as in 'CT used for public web sites' there is no possibility to delay \
submitting. <o:p></o:p></span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Ah, of course it does. I must've been low on coffee when I \
forgot that the SCT is obviously computed through submission to a log, rather than \
over a promise to submit.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I suppose that pretty much rules out the "implicit" \
challenge-is-encrypted-cert method described in CMRF/CMP for web certificates then. \
Otherwise one might spam CT logs?<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Cheers and thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thom<o:p></o:p></p>
</div>
</div>
</div>
<i>Any email and files/attachments transmitted with it are confidential and are \
intended solely for the use of the individual or entity to whom they are addressed. \
If this message has been sent to you in error, you must not copy, distribute or \
disclose of the information it contains. <u>Please notify Entrust immediately</u> \
and delete the message from your system.</i> </body>
</html>
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
--===============4693983393024139677==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic