From nobody Tue Jul 7 06:49:34 2015 Return-Path: X-Original-To: wpkops@ietfa.amsl.com Delivered-To: wpkops@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A4D71A0266 for ; Tue, 7 Jul 2015 06:49:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.9 X-Spam-Level: X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vISxtRzwbJyr for ; Tue, 7 Jul 2015 06:49:32 -0700 (PDT) Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id 27A2A1A01EC for ; Tue, 7 Jul 2015 06:49:32 -0700 (PDT) Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 8F19B9A405F for ; Tue, 7 Jul 2015 09:49:21 -0400 (EDT) X-Virus-Scanned: amavisd-new at smetech.net Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id 7ksnqci5bRNQ for ; Tue, 7 Jul 2015 09:48:03 -0400 (EDT) Received: from [192.168.2.100] (pool-108-51-128-219.washdc.fios.verizon.net [108.51.128.219]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 0716C9A4049 for ; Tue, 7 Jul 2015 09:49:01 -0400 (EDT) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Tue, 7 Jul 2015 09:48:50 -0400 Message-Id: <62149DF7-5173-425A-AC84-DB8D97D63B8A@vigilsec.com> To: wpkops@ietf.org Mime-Version: 1.0 (Apple Message framework v1085) X-Mailer: Apple Mail (2.1085) Archived-At: Subject: [wpkops] draft-housley-web-pki-problems-00 X-BeenThere: wpkops@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 13:49:33 -0000 I want to make people on this list aware of this draft that was posted = yesterday. Stephen Farrell suggested that this list might be a good place to = discuss it. Russ From nobody Tue Jul 7 07:57:57 2015 Return-Path: X-Original-To: wpkops@ietfa.amsl.com Delivered-To: wpkops@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CFAB1ACD44 for ; Tue, 7 Jul 2015 07:57:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.9 X-Spam-Level: X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0xX1m_4Z8mdR for ; Tue, 7 Jul 2015 07:57:54 -0700 (PDT) Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id 5282D1ACD3E for ; Tue, 7 Jul 2015 07:57:54 -0700 (PDT) Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id ABE109A4066 for ; Tue, 7 Jul 2015 10:57:43 -0400 (EDT) X-Virus-Scanned: amavisd-new at smetech.net Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id fjRyXfUDZJ2v for ; Tue, 7 Jul 2015 10:56:25 -0400 (EDT) Received: from [192.168.2.100] (pool-108-51-128-219.washdc.fios.verizon.net [108.51.128.219]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 255369A4065 for ; Tue, 7 Jul 2015 10:57:23 -0400 (EDT) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Tue, 7 Jul 2015 10:57:11 -0400 Message-Id: <28D7CC3C-E21C-4D01-8F13-F2D661D82D71@vigilsec.com> To: wpkops@ietf.org Mime-Version: 1.0 (Apple Message framework v1085) X-Mailer: Apple Mail (2.1085) Archived-At: Subject: [wpkops] draft-housley-web-pki-problems-00 X-BeenThere: wpkops@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 14:57:55 -0000 I want to make people on this list aware of this draft that was posted = yesterday. Stephen Farrell suggested that this list might be a good place to = discuss it. Russ From nobody Tue Jul 7 08:11:16 2015 Return-Path: X-Original-To: wpkops@ietfa.amsl.com Delivered-To: wpkops@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA7B71ACD74 for ; Tue, 7 Jul 2015 08:11:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.277 X-Spam-Level: X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wmg2DeEWn6aH for ; Tue, 7 Jul 2015 08:11:13 -0700 (PDT) Received: from mail-la0-x22b.google.com (mail-la0-x22b.google.com [IPv6:2a00:1450:4010:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14CA31A8899 for ; Tue, 7 Jul 2015 08:11:13 -0700 (PDT) Received: by lagx9 with SMTP id x9so199546834lag.1 for ; Tue, 07 Jul 2015 08:11:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=NAQJPp5IFZN/LRe213o509BW8vVoTiSGxwQSDaod2Zo=; b=eASGNdC5ebtQL0+NQ91BdS+V66kVZZtkMoffOq/Sea/FQ4IAmk+ZyTYN1UOfBG6ywC f2GWw9llYzByvErGERSqJQNxJ/2IhpXKASkAQLCVpDKUA5Fqt6/lI4s81srr1aX4MFbE EUngZVBYyC9zjZBoDGdPlGVmdjMyYAQkqWZ5+n+OHKfKoeb2bedsimq21r5etgOp54hq qdMl9alIICgBOOCU3KnbKlW/vRbDXa6Ci9IbLDXQLqqM7u3RE2gXPWKSPWuQPpBwAk85 KbekFlO2R+BvA1VL/inu9T69/Hmy7xoILT/479EuCdX5ldqREraBPu5YRKD1q5g2tWm5 AB2Q== MIME-Version: 1.0 X-Received: by 10.112.170.167 with SMTP id an7mr4467031lbc.103.1436281871618; Tue, 07 Jul 2015 08:11:11 -0700 (PDT) Sender: hallam@gmail.com Received: by 10.112.203.163 with HTTP; Tue, 7 Jul 2015 08:11:11 -0700 (PDT) In-Reply-To: <62149DF7-5173-425A-AC84-DB8D97D63B8A@vigilsec.com> References: <62149DF7-5173-425A-AC84-DB8D97D63B8A@vigilsec.com> Date: Tue, 7 Jul 2015 11:11:11 -0400 X-Google-Sender-Auth: gYCrBwuYNFwBIWgNWQJDHOYgLzU Message-ID: From: Phillip Hallam-Baker To: Russ Housley Content-Type: multipart/alternative; boundary=001a11c368ccc15a1b051a4a6e55 Archived-At: Cc: "wpkops@ietf.org" Subject: Re: [wpkops] draft-housley-web-pki-problems-00 X-BeenThere: wpkops@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 15:11:15 -0000 --001a11c368ccc15a1b051a4a6e55 Content-Type: text/plain; charset=UTF-8 Good idea, I forwarded it on some CA lists as well. One omission I think needs to be called out is that the WebPKI scope is limited to server authentication. While I don't think that the draft should consider client auth in detail, it is something that should be pointed out as a shortcoming. I think that the main reason we haven't got client auth working on a large scale is that the administration and usability issues that impact the Web Server PKI are even more severe for client PKI. My Mesh project is an attempt to address those issues. --001a11c368ccc15a1b051a4a6e55 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Good idea, I forwarded it on so= me CA lists as well.

One omission I think needs to be called out is that the We= bPKI scope is limited to server authentication. While I don't think tha= t the draft should consider client auth in detail, it is something that sho= uld be pointed out as a shortcoming.=C2=A0
=
I think that the main reason we haven&= #39;t got client auth working on a large scale is that the administration a= nd usability issues that impact the Web Server PKI are even more severe for= client PKI.

My Mesh project is an attempt to address those issues.
--001a11c368ccc15a1b051a4a6e55-- From nobody Tue Jul 7 12:36:44 2015 Return-Path: X-Original-To: wpkops@ietfa.amsl.com Delivered-To: wpkops@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AB531A21C3 for ; Tue, 7 Jul 2015 12:36:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.313 X-Spam-Level: X-Spam-Status: No, score=-2.313 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sq2VGeF6KfdN for ; Tue, 7 Jul 2015 12:36:41 -0700 (PDT) Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D44D81A1B1F for ; Tue, 7 Jul 2015 12:36:41 -0700 (PDT) From: Jeremy Rowley To: Russ Housley , "wpkops@ietf.org" Thread-Topic: [wpkops] draft-housley-web-pki-problems-00 Thread-Index: AQHQuMVQY4sV5YvCFk+fNcTud623Ip3QYTgA Date: Tue, 7 Jul 2015 19:36:39 +0000 Message-ID: <8d66da4eb5d24bb89f8d6b934640ea61@EX2.corp.digicert.com> References: <28D7CC3C-E21C-4D01-8F13-F2D661D82D71@vigilsec.com> In-Reply-To: <28D7CC3C-E21C-4D01-8F13-F2D661D82D71@vigilsec.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [67.137.52.8] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [wpkops] draft-housley-web-pki-problems-00 X-BeenThere: wpkops@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 19:36:43 -0000 This paper sounds like a wish list of select issues taken from the Mozilla = forums. I don't see why it would be published as informational RFC? Is the= goal to make a list of issues that community members feel need to be discu= ssed? I don't get it. The conclusions seem to be 1) Have a CAB Forum that is more transparent (wh= ich is out of scope of the IEFT - I'm not sure I've ever seen an IETF paper= specifically call out to another industry body requesting a change in its = membership?) and 2) Use Let's Encrypt - one specific member of the CA commu= nity. Many CAs already offer free tools to automate issuance, making the c= all out to Let's Encrypt very odd in an IETF document, especially where the= touted feature - new automated tools - already exist (https://www.digicert= .com/express-install/). I have a similar complaint about the reference to = acme where PHB has been proposing something similar for a LONG time (https:= //tools.ietf.org/html/draft-hallambaker-omnibroker-06).=20 I'm also not sure why you selected the specific issues for inclusion in the= paper. For example, the paper doesn't mention inconsistencies in validatio= n levels, which (imo) is a bigger issue than the "too big to fail" scenario= . Cost also is a weird issue to include in the document since it's always r= elative. It's also very difficult to discuss without running afoul of anti= -trust laws. Jeremy -----Original Message----- From: wpkops [mailto:wpkops-bounces@ietf.org] On Behalf Of Russ Housley Sent: Tuesday, July 7, 2015 8:57 AM To: wpkops@ietf.org Subject: [wpkops] draft-housley-web-pki-problems-00 I want to make people on this list aware of this draft that was posted yest= erday. Stephen Farrell suggested that this list might be a good place to discuss i= t. Russ _______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops From nobody Tue Jul 7 13:04:20 2015 Return-Path: X-Original-To: wpkops@ietfa.amsl.com Delivered-To: wpkops@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA27E1A8A1F for ; Tue, 7 Jul 2015 13:04:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.277 X-Spam-Level: X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tFSyQ-Ov6AlN for ; Tue, 7 Jul 2015 13:04:17 -0700 (PDT) Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B206C1A8A09 for ; Tue, 7 Jul 2015 13:04:16 -0700 (PDT) Received: by lagx9 with SMTP id x9so209696113lag.1 for ; Tue, 07 Jul 2015 13:04:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=rYdkso5YSE8Y+uxPM4QOJh0KnbZOvgZDzjbevhXLQQI=; b=AIHUxqpNKjvu05E7laYS3hs+7xaE8USo3jDDwcV3Ci2mfXAXBXPvQSA7cO+uZQZkWx zRUmAkFHWsKZxi4DAKovGBpiNH9TVr1KtZAoXQiemLnYWBcZPXLed+q8nlxBST2K74hw 2qIkHkqGsPqGajZvdt3JAWHtWUXajYLpbss2P8EpnkK56B5W2Jx9c86kNaxFpv1rfZgT 4YbSX+9j69v1veklQ6M5qi4nYkx1TAHkWgpgK5S6kqqGDVrcsUe3f37qhnFquDH6r0Y9 Ux33xcTQUGxF4i3JrFSlYAVGGF7zj6r0LMuSiI13zmhPU9YMwtrYzwXS3VqpTLhjkt1n kdNQ== MIME-Version: 1.0 X-Received: by 10.152.87.97 with SMTP id w1mr5666939laz.124.1436299455157; Tue, 07 Jul 2015 13:04:15 -0700 (PDT) Sender: hallam@gmail.com Received: by 10.112.203.163 with HTTP; Tue, 7 Jul 2015 13:04:14 -0700 (PDT) In-Reply-To: <8d66da4eb5d24bb89f8d6b934640ea61@EX2.corp.digicert.com> References: <28D7CC3C-E21C-4D01-8F13-F2D661D82D71@vigilsec.com> <8d66da4eb5d24bb89f8d6b934640ea61@EX2.corp.digicert.com> Date: Tue, 7 Jul 2015 16:04:14 -0400 X-Google-Sender-Auth: kDgBpiNzPI5KUmnaAQCX-kyBpwA Message-ID: From: Phillip Hallam-Baker To: Jeremy Rowley Content-Type: multipart/alternative; boundary=001a11c33dded0ddac051a4e86cc Archived-At: Cc: "wpkops@ietf.org" , Russ Housley Subject: Re: [wpkops] draft-housley-web-pki-problems-00 X-BeenThere: wpkops@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 20:04:19 -0000 --001a11c33dded0ddac051a4e86cc Content-Type: text/plain; charset=UTF-8 On Tue, Jul 7, 2015 at 3:36 PM, Jeremy Rowley wrote: > This paper sounds like a wish list of select issues taken from the Mozilla > forums. I don't see why it would be published as informational RFC? Is the > goal to make a list of issues that community members feel need to be > discussed? I don't get it. > > The conclusions seem to be 1) Have a CAB Forum that is more transparent > (which is out of scope of the IEFT - I'm not sure I've ever seen an IETF > paper specifically call out to another industry body requesting a change in > its membership?) and 2) Use Let's Encrypt - one specific member of the CA > community. Many CAs already offer free tools to automate issuance, making > the call out to Let's Encrypt very odd in an IETF document, especially > where the touted feature - new automated tools - already exist ( > https://www.digicert.com/express-install/). I have a similar complaint > about the reference to acme where PHB has been proposing something similar > for a LONG time ( > https://tools.ietf.org/html/draft-hallambaker-omnibroker-06). > > I'm also not sure why you selected the specific issues for inclusion in > the paper. For example, the paper doesn't mention inconsistencies in > validation levels, which (imo) is a bigger issue than the "too big to fail" > scenario. Cost also is a weird issue to include in the document since it's > always relative. It's also very difficult to discuss without running afoul > of anti-trust laws. > I have a slightly different concern about the mention of CABForum. CABForum was originally started to develop industry standards for Organizational Validation certs which turned into EV certs over time. As such I always regarded it as a successor in spirit to the ABA group that Michael Baum used to run. CABForum is not set up as a governance body. It does not manage a trust store or decide on inclusion of trust roots. It isn't an industry association either, there is a separate body that has that role. I think that the problem the paper identifies is actually a more fundamental issue with the WebPKI, the fact that browser providers are not ideally placed to act as curators of trust stores because they have two conflicting concerns: security and interoperability. While browsers do their best to achieve a balance between those concerns, they can't be expected to provide customized tradeoffs for different purposes. It is inevitably one size fits all. One of the ways I am looking to address this in the mesh is to provide a mechanism that allows individual users more control of their network environment by defining a custom network profile that can be easily transferred from one device to another. In ordinary circumstances, it is not practical for a user to manage a custom set of WebPKI roots on each of their machines or for that matter to delegate that configuration to a trusted party. --001a11c33dded0ddac051a4e86cc Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Tue, Jul 7, 2015 at 3:36 PM, Jeremy Rowley <jeremy.rowley@= digicert.com> wrote:
This p= aper sounds like a wish list of select issues taken from the Mozilla forums= .=C2=A0 I don't see why it would be published as informational RFC? Is = the goal to make a list of issues that community members feel need to be di= scussed? I don't get it.

The conclusions seem to be 1) Have a CAB Forum that is more transparent (wh= ich is out of scope of the IEFT - I'm not sure I've ever seen an IE= TF paper specifically call out to another industry body requesting a change= in its membership?) and 2) Use Let's Encrypt - one specific member of = the CA community.=C2=A0 Many CAs already offer free tools to automate issua= nce, making the call out to Let's Encrypt very odd in an IETF document,= especially where the touted feature - new automated tools - already exist = (https://www.digicert.com/express-install/).=C2=A0 I ha= ve a similar complaint about the reference to acme where PHB has been propo= sing something similar for a LONG time (h= ttps://tools.ietf.org/html/draft-hallambaker-omnibroker-06).

I'm also not sure why you selected the specific issues for inclusion in= the paper. For example, the paper doesn't mention inconsistencies in v= alidation levels, which (imo) is a bigger issue than the "too big to f= ail" scenario. Cost also is a weird issue to include in the document s= ince it's always relative.=C2=A0 It's also very difficult to discus= s without running afoul of anti-trust laws.

=
I have a slightly different concern about the mention of CABForum.=C2= =A0

CABForum was originally started to develop ind= ustry standards for Organizational Validation certs which turned into EV ce= rts over time. As such I always regarded it as a successor in spirit to the= ABA group that Michael Baum used to run.

CABForum= is not set up as a governance body. It does not manage a trust store or de= cide on inclusion of trust roots. It isn't an industry association eith= er, there is a separate body that has that role.

<= br>
I think that the problem the paper identifies is actually a m= ore fundamental issue with the WebPKI, the fact that browser providers are = not ideally placed to act as curators of trust stores because they have two= conflicting concerns: security and interoperability.=C2=A0

<= /div>
While browsers do their best to achieve a balance between those c= oncerns, they can't be expected to provide customized tradeoffs for dif= ferent purposes. It is inevitably one size fits all.


One of the ways I am looking to address this in the mesh = is to provide a mechanism that allows individual users more control of thei= r network environment by defining a custom network profile that can be easi= ly transferred from one device to another.=C2=A0

I= n ordinary circumstances, it is not practical for a user to manage a custom= set of WebPKI roots on each of their machines or for that matter to delega= te that configuration to a trusted party.

<= /div> --001a11c33dded0ddac051a4e86cc-- From nobody Tue Jul 7 14:53:56 2015 Return-Path: X-Original-To: wpkops@ietfa.amsl.com Delivered-To: wpkops@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8531E1AD368 for ; Tue, 7 Jul 2015 14:53:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GeA6-Z50W9eu for ; Tue, 7 Jul 2015 14:53:54 -0700 (PDT) Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A2911AD35F for ; Tue, 7 Jul 2015 14:53:54 -0700 (PDT) Received: from mb-aye.local (c-50-186-11-175.hsd1.or.comcast.net [50.186.11.175]) (authenticated bits=0) by nagasaki.bogus.com (8.14.9/8.14.9) with ESMTP id t67LrnvY021064 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 7 Jul 2015 21:53:49 GMT (envelope-from joelja@bogus.com) To: Jeremy Rowley , Russ Housley , "wpkops@ietf.org" References: <28D7CC3C-E21C-4D01-8F13-F2D661D82D71@vigilsec.com> <8d66da4eb5d24bb89f8d6b934640ea61@EX2.corp.digicert.com> From: joel jaeggli Message-ID: <559C4A67.90700@bogus.com> Date: Tue, 7 Jul 2015 14:53:43 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.0 MIME-Version: 1.0 In-Reply-To: <8d66da4eb5d24bb89f8d6b934640ea61@EX2.corp.digicert.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="QgvLQNtgIQdeaMUkWRiEWGAAdm1QFLMGr" Archived-At: Subject: Re: [wpkops] draft-housley-web-pki-problems-00 X-BeenThere: wpkops@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 21:53:55 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --QgvLQNtgIQdeaMUkWRiEWGAAdm1QFLMGr Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 7/7/15 12:36 PM, Jeremy Rowley wrote: > This paper sounds like a wish list of select issues taken from the > Mozilla forums. I don't see why it would be published as > informational RFC? Is the goal to make a list of issues that > community members feel need to be discussed? I don't get it. In general, I'd look at a 00 draft published against the deadline for a particular meeting as the opening salvo in a conversation someone wants to have, in this case somewhere at ietf 93. I have this somewhere in my queue along with some fraction of the other thousand or so drafts submitted against the monday cutoff. > The conclusions seem to be 1) Have a CAB Forum that is more > transparent (which is out of scope of the IEFT - I'm not sure I've > ever seen an IETF paper specifically call out to another industry > body requesting a change in its membership?) and 2) Use Let's Encrypt > - one specific member of the CA community. Many CAs already offer > free tools to automate issuance, making the call out to Let's Encrypt > very odd in an IETF document, especially where the touted feature - > new automated tools - already exist > (https://www.digicert.com/express-install/). I have a similar > complaint about the reference to acme where PHB has been proposing > something similar for a LONG time > (https://tools.ietf.org/html/draft-hallambaker-omnibroker-06). >=20 > I'm also not sure why you selected the specific issues for inclusion > in the paper. For example, the paper doesn't mention inconsistencies > in validation levels, which (imo) is a bigger issue than the "too big > to fail" scenario. Cost also is a weird issue to include in the > document since it's always relative. It's also very difficult to > discuss without running afoul of anti-trust laws. >=20 > Jeremy >=20 > -----Original Message----- From: wpkops > [mailto:wpkops-bounces@ietf.org] On Behalf Of Russ Housley Sent: > Tuesday, July 7, 2015 8:57 AM To: wpkops@ietf.org Subject: [wpkops] > draft-housley-web-pki-problems-00 >=20 > I want to make people on this list aware of this draft that was > posted yesterday. >=20 > Stephen Farrell suggested that this list might be a good place to > discuss it. >=20 > Russ >=20 > _______________________________________________ wpkops mailing list=20 > wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops >=20 > _______________________________________________ wpkops mailing list=20 > wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops >=20 --QgvLQNtgIQdeaMUkWRiEWGAAdm1QFLMGr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlWcSmgACgkQ8AA1q7Z/VrJnugCfREew6OIWvyUZ0J3iMtAJy1xd yksAni/vqo05NeVL9bnIn4kgaZB4I0BK =ptn2 -----END PGP SIGNATURE----- --QgvLQNtgIQdeaMUkWRiEWGAAdm1QFLMGr-- From nobody Tue Jul 7 15:41:35 2015 Return-Path: X-Original-To: wpkops@ietfa.amsl.com Delivered-To: wpkops@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36DFB1B29CB for ; Tue, 7 Jul 2015 15:41:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GwUDRgwAWjX8 for ; Tue, 7 Jul 2015 15:41:31 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0689.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:689]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 309071B29C7 for ; Tue, 7 Jul 2015 15:41:31 -0700 (PDT) Received: from DM2PR0601MB1118.namprd06.prod.outlook.com (10.160.218.139) by DM2PR0601MB1120.namprd06.prod.outlook.com (10.160.218.140) with Microsoft SMTP Server (TLS) id 15.1.207.19; Tue, 7 Jul 2015 22:41:09 +0000 Received: from DM2PR0601MB1118.namprd06.prod.outlook.com ([10.160.218.139]) by DM2PR0601MB1118.namprd06.prod.outlook.com ([10.160.218.139]) with mapi id 15.01.0207.004; Tue, 7 Jul 2015 22:41:09 +0000 From: Karen O'Donoghue To: Joel Jaeggli Thread-Topic: [wpkops] draft-housley-web-pki-problems-00 Thread-Index: AQHQuMVRBJHTcNNgwkKFxVuQES1uPp3QZvGAgAAmTICAAA1AAA== Date: Tue, 7 Jul 2015 22:41:09 +0000 Message-ID: <3BECB6DA-3E91-407B-97F7-F822EFC08A5D@isoc.org> References: <28D7CC3C-E21C-4D01-8F13-F2D661D82D71@vigilsec.com> <8d66da4eb5d24bb89f8d6b934640ea61@EX2.corp.digicert.com> <559C4A67.90700@bogus.com> In-Reply-To: <559C4A67.90700@bogus.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: bogus.com; dkim=none (message not signed) header.d=none; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [2620:0:1012:fd00:591c:20b4:463f:f882] x-microsoft-exchange-diagnostics: 1; DM2PR0601MB1120; 5:DScEk6OUdkmrz+ZB+ACYVOVd6P3vJeB6EYOo1WgcrRuUG9tXtHNajVbsgz+ms5yRNuuSfCkNLzLPhR7wP5r5uwnsdlus1mn1EJ0g9R5Dgcr7NYkyk6pXjxD9vb5F0ddfBXhZwmvTb1e4mcgxjECH8g==; 24:YdQ2Akgv0t2FAyb7q2PDrqXw9ltpMDYH5bgRQcotHNBuGc8AFb62F23iDHiAKkl8ir+WC2jzb7JtRuuNXUAUPXQKupn1lsmGkc6ZD784F0Q=; 20:LrRB+Icc3Kh1jIQkdzNSo5RxhZ/aVERoSyDHFtnDoE1hqBIFdDRz+SlXKJBZgZGgAcP9WkCoNXMblTeYVYNh/w== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0601MB1120; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:DM2PR0601MB1120; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0601MB1120; x-forefront-prvs: 0630013541 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(13464003)(51704005)(377454003)(24454002)(479174004)(83716003)(40100003)(2656002)(86362001)(77156002)(33656002)(106116001)(102836002)(54356999)(99286002)(77096005)(2900100001)(50986999)(19580405001)(19580395003)(2950100001)(15975445007)(62966003)(76176999)(87936001)(82746002)(46102003)(92566002)(189998001)(5001920100001)(36756003)(230783001)(5002640100001)(110136002)(5001960100002)(3826002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR0601MB1120; H:DM2PR0601MB1118.namprd06.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; Content-Type: text/plain; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: isoc.org X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2015 22:41:09.4951 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0601MB1120 Archived-At: Cc: "wpkops@ietf.org" , Russ Housley , Jeremy Rowley Subject: Re: [wpkops] draft-housley-web-pki-problems-00 X-BeenThere: wpkops@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 22:41:34 -0000 (speaking for myself and not Russ=85 ) Joel is correct that this was an initial draft to start a conversation. The= point was to collect some of the technical and non-technical issues associ= ated with deployment and use of PKI. This might then be used to scope a con= versation about possible things that could improve the situation and venues= for the development of those interventions. This is the first step and any= comments or additions are welcome.=20 (apologies to Joel and others about the =93at the deadline=94 submissison).= =20 =20 > On Jul 7, 2015, at 5:53 PM, joel jaeggli wrote: >=20 > On 7/7/15 12:36 PM, Jeremy Rowley wrote: >> This paper sounds like a wish list of select issues taken from the >> Mozilla forums. I don't see why it would be published as >> informational RFC? Is the goal to make a list of issues that >> community members feel need to be discussed? I don't get it. >=20 > In general, I'd look at a 00 draft published against the deadline for a > particular meeting as the opening salvo in a conversation someone wants > to have, in this case somewhere at ietf 93. >=20 > I have this somewhere in my queue along with some fraction of the other > thousand or so drafts submitted against the monday cutoff. >=20 >> The conclusions seem to be 1) Have a CAB Forum that is more >> transparent (which is out of scope of the IEFT - I'm not sure I've >> ever seen an IETF paper specifically call out to another industry >> body requesting a change in its membership?) and 2) Use Let's Encrypt >> - one specific member of the CA community. Many CAs already offer >> free tools to automate issuance, making the call out to Let's Encrypt >> very odd in an IETF document, especially where the touted feature - >> new automated tools - already exist >> (https://www.digicert.com/express-install/). I have a similar >> complaint about the reference to acme where PHB has been proposing >> something similar for a LONG time >> (https://tools.ietf.org/html/draft-hallambaker-omnibroker-06). >>=20 >> I'm also not sure why you selected the specific issues for inclusion >> in the paper. For example, the paper doesn't mention inconsistencies >> in validation levels, which (imo) is a bigger issue than the "too big >> to fail" scenario. Cost also is a weird issue to include in the >> document since it's always relative. It's also very difficult to >> discuss without running afoul of anti-trust laws. >>=20 >> Jeremy >>=20 >> -----Original Message----- From: wpkops >> [mailto:wpkops-bounces@ietf.org] On Behalf Of Russ Housley Sent: >> Tuesday, July 7, 2015 8:57 AM To: wpkops@ietf.org Subject: [wpkops] >> draft-housley-web-pki-problems-00 >>=20 >> I want to make people on this list aware of this draft that was >> posted yesterday. >>=20 >> Stephen Farrell suggested that this list might be a good place to >> discuss it. >>=20 >> Russ >>=20 >> _______________________________________________ wpkops mailing list=20 >> wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops >>=20 >> _______________________________________________ wpkops mailing list=20 >> wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops >>=20 >=20 >=20 > _______________________________________________ > wpkops mailing list > wpkops@ietf.org > https://www.ietf.org/mailman/listinfo/wpkops From nobody Wed Jul 8 04:15:24 2015 Return-Path: X-Original-To: wpkops@ietfa.amsl.com Delivered-To: wpkops@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5D2A1B3465 for ; Wed, 8 Jul 2015 04:15:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C08-3nG_T1-D for ; Wed, 8 Jul 2015 04:15:20 -0700 (PDT) Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07E401B343B for ; Wed, 8 Jul 2015 04:15:19 -0700 (PDT) Received: by wiga1 with SMTP id a1so281900353wig.0 for ; Wed, 08 Jul 2015 04:15:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=kYd5EdHcSEjcyQMAK9IctDwfswAfFHT7ZP2l+gwSU3Y=; b=TkjNTtcdc416O++pJpGgqU7voBW7XSlLG6RRoeQ32JiUISX4hcn9AhzOehNI7ivZbi c+ShmkWi0crj4QSuKQjw80J0m1wHyDwYD3PVT7gIwe3f6iLD9I0mMVorRxBl7k3Yykg/ snazzeLkkM3BsCDMLaTDSNPoSUxr4/vK6hhdkV4n5fwdlu5dffuU0E/yyNmb3C3YFlKQ Lw0ot5AYo3qb6yP+FDxJBud87GZ0L38+o7tVO0OlIBf0vI83BW7EVD81uqbWksaMn+VD d5xicEG0MKuptmnDlo1mNJ2ckU8eRoQ+ZW3KlRxRhS8KK4RHF/A2BDUBwuKBRleU7VTS GTqg== X-Gm-Message-State: ALoCoQlbOPju+BBCnIPYKfcu+lnSU8ZaMQMH+IBM6CyqDCo/aZYFnc7W5lsprkQyMiOt60L84vmE X-Received: by 10.180.77.115 with SMTP id r19mr115255423wiw.9.1436354118605; Wed, 08 Jul 2015 04:15:18 -0700 (PDT) Received: from [192.168.0.115] (fpc2-shef11-2-0-cust7.17-1.static.cable.virginm.net. [94.173.170.136]) by smtp.gmail.com with ESMTPSA id c11sm2736086wib.1.2015.07.08.04.15.17 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jul 2015 04:15:17 -0700 (PDT) To: wpkops@ietf.org References: <28D7CC3C-E21C-4D01-8F13-F2D661D82D71@vigilsec.com> From: Gervase Markham Openpgp: id=EEDEEFF962E97696DACBD2CCD9B347EA9DF43DBB X-Enigmail-Draft-Status: N1110 Message-ID: <559D0644.2060701@mozilla.org> Date: Wed, 8 Jul 2015 12:15:16 +0100 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.0 MIME-Version: 1.0 In-Reply-To: <28D7CC3C-E21C-4D01-8F13-F2D661D82D71@vigilsec.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [wpkops] draft-housley-web-pki-problems-00 X-BeenThere: wpkops@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 11:15:23 -0000 On 07/07/15 15:57, Russ Housley wrote: > I want to make people on this list aware of this draft that was posted yesterday. > > Stephen Farrell suggested that this list might be a good place to discuss it. https://tools.ietf.org/html/draft-housley-web-pki-problems-00 Some comments: 3.1: See: https://wiki.mozilla.org/CA:RevocationPlan 3.2/3.3: See HPKP, CAA and CT. 3.4: Bug Apple :-) 3.5: See Let's Encrypt, DigiCert Express Install, SSLMate etc. etc. 3.6: The entire point of Trustwave is that browsers could _not_ ordinarily detect the MITM. But anyway: it has been suggested that MITM certs should be required to have a special marking which browsers can detect, but this solution, when investigated, has a number of problems. Ideas welcome. 3.7: 1024-bit: See https://bugzilla.mozilla.org/show_bug.cgi?id=1156844 for roots, CAB Forum policy for intermediates and EE certs. SHA1: See Microsoft and Google policy and CAB Forum policy. MD5 is already dead. RC4 is being worked on: see https://bugzilla.mozilla.org/show_bug.cgi?id=1138101 . 4.1: With regard to the Mozilla root program, I refute the first suggestion here. See http://www.mozilla.org/projects/security/certs/policy/ and many other places. 4.2: The actions we took in the CNNIC case were specifically designed to be generalisable to a CA otherwise considered "too big to fail". 4.3: Given the existence of the above-mentioned services and APIs, this seems like a Simple Matter of Programming to me. :-) 5.1.1: Browsers don't use such extensions because CRLs suck. 5.1.2: Indeed. Please put polite pressure on the Apache project and/or Linux distributions to allow OCSP stapling to be enabled by default. 5.2.1: See https://www.imperialviolet.org/2015/01/17/notdane.html . 5.2.2: CAA is fine. 6.1: The CAB Forum is a lot more open, inclusive and transparent than it once was, in part due to Mozilla pressure. For example, voting is no longer secret, and nor are the mailing lists. Third parties can now take part (although not vote) in working groups. Organizations can become associate members. And while this is not full openness and transparency, mozilla.dev.security.policy is always open to hear input from the Internet community on what Mozilla should be doing or advocating. The chances of browser makers handing over the right of decisions about who to trust to a 3rd party body are vanishingly small. Gerv From nobody Wed Jul 8 12:47:21 2015 Return-Path: X-Original-To: wpkops@ietfa.amsl.com Delivered-To: wpkops@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 096FA1A8716 for ; Wed, 8 Jul 2015 12:47:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zmiP9UrKW98H for ; Wed, 8 Jul 2015 12:47:17 -0700 (PDT) Received: from ecl1mtaoutpex02.symantec.com (ecl1mtaoutpex02.symantec.com [166.98.1.210]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F5AD1A8702 for ; Wed, 8 Jul 2015 12:47:16 -0700 (PDT) X-AuditID: a66201d2-f79716d000002214-1a-559d7e438caf Received: from tus1opsmtapin01.ges.symantec.com (tus1opsmtapin01.ges.symantec.com [192.168.214.43]) by ecl1mtaoutpex02.symantec.com (Symantec Brightmail Gateway out) with SMTP id 0D.F9.08724.34E7D955; Wed, 8 Jul 2015 19:47:15 +0000 (GMT) Received: from [155.64.220.137] (helo=TUS1XCHHUBPIN01.SYMC.SYMANTEC.COM) by tus1opsmtapin01.ges.symantec.com with esmtp (Exim 4.76) (envelope-from ) id 1ZCvJL-0007TI-3i; Wed, 08 Jul 2015 19:47:15 +0000 Received: from TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM ([155.64.220.146]) by TUS1XCHHUBPIN01.SYMC.SYMANTEC.COM ([155.64.220.137]) with mapi; Wed, 8 Jul 2015 12:47:20 -0700 From: Rick Andrews To: Gervase Markham , "wpkops@ietf.org" Date: Wed, 8 Jul 2015 12:47:13 -0700 Thread-Topic: [wpkops] draft-housley-web-pki-problems-00 Thread-Index: AdC5b2jP+SBwUIrTTsSM5/mk+eEYMwAQdHog Message-ID: <544B0DD62A64C1448B2DA253C01141461922CEB934@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> References: <28D7CC3C-E21C-4D01-8F13-F2D661D82D71@vigilsec.com> <559D0644.2060701@mozilla.org> In-Reply-To: <559D0644.2060701@mozilla.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0125_01D0B97C.35D725C0" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrEIsWRmVeSWpSXmKPExsVyYMU1bV3nurmhBmt/qFrs2XGNyeLmqe2s DkweS5b8ZPJYfekKawBTFJdNSmpOZllqkb5dAlfG6faNrAWzAivaWvoYGxhn+nQxcnJICJhI fF/7jQnCFpO4cG89WxcjF4eQwAdGidO7JrBAOK8YJe6tPsYM4axklDjRsxOshU1AT2LL4yvs ILaIgLfEt7avrCA2i4CKxOHXC9hAbGEBc4n1s2exQNRYSDy7/ZUJwjaSOPtnF1g9r0CUxO/p lxhBbCGBBIkTc36C1XAKaEscnfgdLM4IdN73U2vA4swC4hK3nsyHOltE4uHF02wQtqjEy8f/ WCHqRSXutK9nBDmaWaCXUeLxxC0sEMsEJU7OfMIygVF0FpJZs5DVzUJSN4uRAyihJ9G2kRGi Xl5i+9s5zBC2tcSMXwfZIGxFiSndD9khbFOJ10c/Mi5g5FjFKJOanGOYW5KYX1pSkFphYKRX XJmbCIzLZL3k/NxNjMDYXJbEeGkH4/3DuocYBTgYlXh410fODRViTSwDqjzEqAI07tGG1RcY pVjy8vNSlUR465KA0rwpiZVVqUX58UWlOanFhxilOViUxHm3P2kMFRJITyxJzU5NLUgtgsky cXBKNTBGTrm1/KVWp6Su751EaamiVTM0OPg49vs/Kzrq9OVO0JRNEnsPqhVWG3ZwSjzXuPWj LLkp3PrMN+mgNm7FGVycrDzrhaujzBnsW1+UdLMty5y77/1F8de3Iz+au+uofzlw9+ofY6td B0M4PGuOSFbcm5vP/X3JpwbxR14bVtWreATbXjNbulWJpTgj0VCLuag4EQDFH+eQ1QIAAA== Archived-At: Subject: Re: [wpkops] draft-housley-web-pki-problems-00 X-BeenThere: wpkops@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 19:47:20 -0000 ------=_NextPart_000_0125_01D0B97C.35D725C0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit 3.1 It's true that many browsers don't do certificate status checks by default, but only Firefox (AFAIK) gives the user the option to enable those checks. 3.4 " Despite this situation, at least one major browser does not support name constraints, and as a result, CAs are reluctant to use name constraints." That's true, but it's only part of the story. Symantec (as an example) issues certificates to FQDNs in practically all TLDs, ccTLDs, gTLDs including many of the newly-approved ones. It's simply not practical for us to use name constraints on our issuing CAs. And in the small number of cases where we issued an issuing CA to an external third party, every single one has rejected the idea of name constraints because they all wanted the ability to issue to newly-acquired domain names. 4.1. Determination of the Trusted Certificate Authorities " The browser vendors and the CAs determine what should and should not be trusted by default." Not true; only the browser vendors determine what should and should not be trusted. CAs have no control over their decisions. Under " 5. Emerging Technical Improvements" you might add the use of Content Delivery Networks. Most major CAs today use CDNs to deliver CRLs and OCSP responses, resulting in high availability and low latency for clients. However, browser vendors still eschew status checking. 5.1.1 " Sadly, few CAs take advantage of the CRLDP certificate extension." I don't agree. Most of the CAs I'm aware of still add CRLDP extensions, even though they're not required by the CABF Baseline Requirements and largely ignored by browsers. 5.2.1 DANE " DNSSEC has a single root domain as opposed to a multiplicity of trusted CAs" It's true that DNSSEC has a single root domain, but if fully deployed, every domain owner would also have to manage their own PKI. It's not trivial, and there are no audit or compliance standards for this. I would suggest that you mention the multiple DANE modes of operation. In two of the modes, no PKIX chain validation is needed; hence a self-signed cert might appear as trustworthy as a CA-signed cert. ------=_NextPart_000_0125_01D0B97C.35D725C0 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIRhzCCBBkw ggMBAhBhcMtJjF+YRSnnsKbZUFt6MA0GCSqGSIb3DQEBBQUAMIHKMQswCQYDVQQGEwJVUzEXMBUG A1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4 BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkx RTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDIgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB dXRob3JpdHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYDVQQG EwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5l dHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQg dXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDIgUHVibGljIFByaW1hcnkgQ2VydGlm aWNhdGlvbiBBdXRob3JpdHkgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8K DcLVLNtnuS3llCfdpb7gsE2Ps2FWPNZ8w/TNPobLooji4dikacW14r/BpkdQXkY5i9WWurVvFL8Q zicTngVHmzF6E9gf2dMCN4utLEfwjoEGpw0wDOv3PA8gHdxyRu6lAshbw8lWaUzFGMGRewvVEwCb vO/DSD5GYCCFKtWQts2LoMwy3bf9QFWyUBxWrsyNd03HIE2nMXbvaJKKkB4IgVayrWmjUtDLHMQj PR+Z/kzoFmOOxgiO9jH20vrldt21HJKjSc3NAc1ozalpuqPrHQ2cpCCmwaDF0UZMF23SrGY/lozg hNQ2/yJZxfkRYKhfBH3yGvYlQmEPxEq4PokCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEANCYVPMCN TUNJHb3pIZLXZpy33sW40ORdX3YiwCb5hDo6+Yy1++xg8ejOBLDI3acDjzDzmN+k5qQx39McC0bc ciA/ru4FPKQzPws5rHB4c0uZK98wwlSwqDtVof4WKM1CvXRugNsnRKfORF3UG5CYDR5ClLEALATQ dKMCBSJjY82DtfvBbWJraXX9XXBBufW/fN++wTJzIiGLWIF7FZF6uuNkSLB/+zYl2pXQ8SQUF90Y gGtGIzlU9Y5iCQQdlJCmm+Yl4kJFqriQrb4Ij6kLQhiUz3I54bFD4CjPt+dabBNrSbP/4xh8iYsz Xawz16f52jpVyVgQ+arvWrbPS0vfKjCCBkwwggU0oAMCAQICEBw3Lcu5cD5rtz7z+tELQgYwDQYJ KoZIhvcNAQELBQAwgcoxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0G A1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24s IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3Mg MiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTE1MDEwNjAw MDAwMFoXDTI1MDEwNTIzNTk1OVowgbAxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBD b3Jwb3JhdGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazE1MDMGA1UECxMsQ2xh c3MgMiBNYW5hZ2VkIFBLSSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0ExKjAoBgNVBAMTIVN5bWFu dGVjIENsYXNzIDIgRW1wbG95ZWUgQ0EgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBALbX9Fd7nt9wUT7ISGRoQMGJbj8EkkrtHHQnINo4z1KTPLnRWscXLT5oTmFpC7JuaHn0AnYK +NJutht+e0vGtU/avfhJDgLP7K1qZ+vOBHm9hMzzmiME1s9CP0nOlifrJK5h2TS5Znq8g4kfGJTA asB5zmfjNVCJomx17jhf8fuZrvMXSBsWDxl6NGohZloUgxFAwrCe0NuDzt8E8jJCgw5lewsqjlll eBvJbCxOXhcuMvjK6/ilNC1WjkaIlTWXyaraGQAMPm2nsZED4+aBNRMX855Amtk5zAoKh1oeIiN7 2YaPVmiIIOeGKqY0B3RYTY7cmxgU4RA5xgKA3LeMIP0CAwEAAaOCAkQwggJAMBIGA1UdEwEB/wQI MAYBAf8CAQAwbAYDVR0gBGUwYzBhBgtghkgBhvhFAQcXAjBSMCYGCCsGAQUFBwIBFhpodHRwOi8v d3d3LnN5bWF1dGguY29tL2NwczAoBggrBgEFBQcCAjAcGhpodHRwOi8vd3d3LnN5bWF1dGguY29t L3JwYTAOBgNVHQ8BAf8EBAMCAQYwNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8v cGtpLW9jc3Auc3ltYXV0aC5jb20wNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC53cy5zeW1h bnRlYy5jb20vcGNhMi1nMy5jcmwwKAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFN5bWFudGVjUEtJ LTItMjMwHQYDVR0OBBYEFKQzr7DDRoer5XhJsrTiRp/qCfwVMIHwBgNVHSMEgegwgeWhgdCkgc0w gcoxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNp Z24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3Ig YXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMiBQdWJsaWMgUHJp bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczghBhcMtJjF+YRSnnsKbZUFt6MA0GCSqG SIb3DQEBCwUAA4IBAQChthp96rPOdkvEEfo4yk4Q8auHf5LqUJUlwDdoAvuCrYDLM9TMQzCwRWf7 IpiGPMAVnddFj2ohiX3bYd0tkaqyjfDJDtZQK9YgN5GD0RTO2gHS0PHOOyJBSDJ5G0um4NLofhkB h9RqEE3mBF68RGe4Te7Z5ST+pvgqGzC8v/2xDEZcClXhch8gNU7muFl18YdX9gWV54BcTj0lo9E9 9/2HVCPB5QAzFhHqgHjDnETpw5S3JlpKTEMXyqaWd/5+Vo+ID+jd51HS+BS1u2Dguv+FvgINTVrr IO1ymEh5L3XM4gQrCgD7yajPRf/BIjyF/xzL/ONUoxd8e1gR/E1N98oyMIIHFjCCBf6gAwIBAgIQ OVrt7EotOiYavftZTf7D7jANBgkqhkiG9w0BAQsFADCBsDELMAkGA1UEBhMCVVMxHTAbBgNVBAoT FFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTUw MwYDVQQLEyxDbGFzcyAyIE1hbmFnZWQgUEtJIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQTEqMCgG A1UEAxMhU3ltYW50ZWMgQ2xhc3MgMiBFbXBsb3llZSBDQSAtIEczMB4XDTE1MDYwNTAwMDAwMFoX DTE2MDYwNDIzNTk1OVowWDEdMBsGA1UECgwUU3ltYW50ZWMgQ29ycG9yYXRpb24xIDAeBgNVBAsM F1N5bWFudGVjIEVtcGxveWVlIEVtYWlsMRUwEwYDVQQDDAxSaWNrIEFuZHJld3MwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMkzz3/cxC5IPK1PgEVnb2v6HNo5VaRHC5nKGTtKfmdl58 yBdBK4SJwGSIHiQsIgItAQc4mmd7MUIQOxt5RN7dCFMDFzxbSF0nIl1GR52WzN8mgVE9+6oMxDKN 5LOckMEKNH13NF7Ebjz/p0v0JaRHEuzG4w12ah3B8GkBKJn0XDRJjZNq1R/fJJxklUWsQcimw7S5 bb9bGQwCipDGDn1WLaXP1UWDqyP/ja6OYyKY3QFlk1olDk5iZ5XipSiX57euk9FigV4Ddu6gsVaE hQR/mZNcNag1rH/RjcVoox7iTgvKxyBh3VVT2dEX4vebLdt2/rwIgz626XDSTeUmJQ+ZAgMBAAGj ggOBMIIDfTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEF BQcDBDAdBgNVHQ4EFgQUVoVKaC1xEPB9EWKq3dWrwskIufkwJAYDVR0RBB0wG4EZUmlja19BbmRy ZXdzQHN5bWFudGVjLmNvbTAfBgNVHSMEGDAWgBSkM6+ww0aHq+V4SbK04kaf6gn8FTCCAWQGCCsG AQUFBwEBBIIBVjCCAVIwJwYIKwYBBQUHMAGGG2h0dHA6Ly9wa2ktb2NzcC5zeW1hdXRoLmNvbTCC ASUGCCsGAQUFBzAChoIBF2xkYXA6Ly9kaXJlY3RvcnkudmVyaXNpZ24uY29tL0NOJTIwJTNEJTIw U3ltYW50ZWMlMjBDbGFzcyUyMDIlMjBFbXBsb3llZSUyMENBJTIwLSUyMEczJTJDJTIwT1UlMjAl M0QlMjBDbGFzcyUyMDIlMjBNYW5hZ2VkJTIwUEtJJTIwSW5kaXZpZHVhbCUyMFN1YnNjcmliZXIl MjBDQSUyQyUyME9VJTIwJTNEJTIwU3ltYW50ZWMlMjBUcnVzdCUyME5ldHdvcmslMkMlMjBPJTIw JTNEJTIwU3ltYW50ZWMlMjBDb3Jwb3JhdGlvbiUyQyUyMEMlMjAlM0QlMjBVUz9jQUNlcnRpZmlj YXRlO2JpbmFyeTBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vcGtpLWNybC5zeW1hdXRoLmNvbS9j YV8yYzc5ZDVmMGM0NTZlMGUzZTJmYjNlMjM2OTAzZGExNS9MYXRlc3RDUkwuY3JsMGwGA1UdIARl MGMwYQYLYIZIAYb4RQEHFwIwUjAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5zeW1hdXRoLmNvbS9j cHMwKAYIKwYBBQUHAgIwHBoaaHR0cDovL3d3dy5zeW1hdXRoLmNvbS9ycGEwQgYJKoZIhvcNAQkP BDUwMzAKBggqhkiG9w0DBzALBglghkgBZQMEAQIwCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBKjAr BgpghkgBhvhFARADBB0wGwYSYIZIAYb4RQEQAQICAQGdpPp0FgUxNjc0ODA5BgpghkgBhvhFARAF BCswKQIBABYkYUhSMGNITTZMeTl3YTJrdGNtRXVjM2x0WVhWMGFDNWpiMjA9MA0GCSqGSIb3DQEB CwUAA4IBAQAXM1lZbwfKyY8FFxOxBuM1zaVaoRHcKD6EjwhcTlIeFQSGl/n24G+1xpy6NIe7Mwzp EAwVUwzb3wKFyKnDMdDvPIedes3QyC1yIjA3ZViOLNpIhWmalth1ohXYFGjjLx7eAq6GJ7oorcJH ZCWOMNr4Nm82UlZ4WoOw1W9mU2ll9R4rfDxsWOImko7O0E9fvozhf4B224DA6cin71gk5rFzzzKC Knjv2lUSpjNuOmlcY2LFOIKPyFzpGKRikO/LwfWVsefhppBSRGKaxfbKS9QP8ex1IcZgGbdCTBzW t9u/tgGv8+qMCn347fdIwO3qFAFgGfJULuFLOvdwqtkJZ8CxMYIEsDCCBKwCAQEwgcUwgbAxCzAJ BgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlvbjEfMB0GA1UECxMWU3ltYW50 ZWMgVHJ1c3QgTmV0d29yazE1MDMGA1UECxMsQ2xhc3MgMiBNYW5hZ2VkIFBLSSBJbmRpdmlkdWFs IFN1YnNjcmliZXIgQ0ExKjAoBgNVBAMTIVN5bWFudGVjIENsYXNzIDIgRW1wbG95ZWUgQ0EgLSBH MwIQOVrt7EotOiYavftZTf7D7jAJBgUrDgMCGgUAoIICvzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqGSIb3DQEJBTEPFw0xNTA3MDgxOTQ3MTJaMCMGCSqGSIb3DQEJBDEWBBQnVLwsMUmU zZJiiqQOnTt0uzckMjCBqwYJKoZIhvcNAQkPMYGdMIGaMAsGCWCGSAFlAwQBKjALBglghkgBZQME ARYwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggq hkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjALBglghkgBZQMEAgMwCwYJYIZIAWUD BAICMAsGCWCGSAFlAwQCATCB1gYJKwYBBAGCNxAEMYHIMIHFMIGwMQswCQYDVQQGEwJVUzEdMBsG A1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdv cmsxNTAzBgNVBAsTLENsYXNzIDIgTWFuYWdlZCBQS0kgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENB MSowKAYDVQQDEyFTeW1hbnRlYyBDbGFzcyAyIEVtcGxveWVlIENBIC0gRzMCEDla7exKLTomGr37 WU3+w+4wgdgGCyqGSIb3DQEJEAILMYHIoIHFMIGwMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3lt YW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxNTAzBgNV BAsTLENsYXNzIDIgTWFuYWdlZCBQS0kgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBMSowKAYDVQQD EyFTeW1hbnRlYyBDbGFzcyAyIEVtcGxveWVlIENBIC0gRzMCEDla7exKLTomGr37WU3+w+4wDQYJ KoZIhvcNAQEBBQAEggEABiZruigJpBDFwZpYrYXsnkzs94aWHN19x/UavvCOqbAzTEO0Yw98DesY guOMHx0KWmZbfJ3VAFo6hPBfstdzjR6iQdRS9hCRnxHofHgZUcJd1w0LzzTxAEJmCN2gz+6+IFXK 5a40BJEEhuXG77lLvV0XkplEK8jHACWJcRxP/u9zECHMmNbVcsWQZfv7UtwdF5YIris2kCiRMYPI 2CufvDeXfeU+Uz4EUq9sZpRj4yMTW0fvMO/wm5letvlvDSdE1CUi1UJ5xgw2I5ACIKozGYGf0D/4 NrU0o3nPLEEjAJ+0DsdgtR0yEC29/XBoY7LxPlTa3N3LKaL+WUJ4fGqBpgAAAAAAAA== ------=_NextPart_000_0125_01D0B97C.35D725C0-- From nobody Wed Jul 8 18:41:02 2015 Return-Path: X-Original-To: wpkops@ietfa.amsl.com Delivered-To: wpkops@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC4021A8977 for ; Wed, 8 Jul 2015 18:41:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l-OXoxo5c1VO for ; Wed, 8 Jul 2015 18:40:59 -0700 (PDT) Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BB571A01F0 for ; Wed, 8 Jul 2015 18:40:59 -0700 (PDT) Received: by oiyy130 with SMTP id y130so179310333oiy.0 for ; Wed, 08 Jul 2015 18:40:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=P5zoeRX3ajNoD0aWcgZtXCMnOJdm9ILfuvDYXCvCVnc=; b=Fy0WiwGBHPKKa1cWRM6HyuwAODJIHYAJlx7asmfDOyWqaqfJWVuAthNd0ti9JJSXtf Ih/eIVqgqN5JBT3pyBN3QA52ot26VASBcVP+r8O8ZNabCTShuoitfXchbnzJ94DeXLcW TsDwruSBWaQ/orGzvwyVPx+5tuh3dOPfXhqteQXWFAS9hb/EjBe0aJ4k1V15QijLq7ED Udl2Jt2D34gcduyjjkfLxbTtbIV9Cj0lmHZP7xmXHQnm6j+qeSkgaHJNwpd5R1GIkJ6O lJX61pfOI82haiYIGTCEr+nhC31krsNbpSwEcPywpG8LbC95S9qQaHDTuvYuKTvDv947 Znwg== MIME-Version: 1.0 X-Received: by 10.182.250.195 with SMTP id ze3mr11972267obc.74.1436406058880; Wed, 08 Jul 2015 18:40:58 -0700 (PDT) Received: by 10.202.115.1 with HTTP; Wed, 8 Jul 2015 18:40:58 -0700 (PDT) In-Reply-To: <8d66da4eb5d24bb89f8d6b934640ea61@EX2.corp.digicert.com> References: <28D7CC3C-E21C-4D01-8F13-F2D661D82D71@vigilsec.com> <8d66da4eb5d24bb89f8d6b934640ea61@EX2.corp.digicert.com> Date: Thu, 9 Jul 2015 11:40:58 +1000 Message-ID: From: Ralph Holz To: Jeremy Rowley Content-Type: multipart/alternative; boundary=089e01634d7ee49798051a67582f Archived-At: Cc: "wpkops@ietf.org" , Russ Housley Subject: Re: [wpkops] draft-housley-web-pki-problems-00 X-BeenThere: wpkops@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 01:41:01 -0000 --089e01634d7ee49798051a67582f Content-Type: text/plain; charset=UTF-8 Informational RFCs that detail shortcomings of technology exist - see, e.g., the work done in the UTA WG (disclaimer: I am an co-author of one such RFC). Calling for specific mechanisms or forums is indeed odd. I'd suggest to rather go for a list of pointers instead. Ralph On 8 July 2015 at 05:36, Jeremy Rowley wrote: > This paper sounds like a wish list of select issues taken from the Mozilla > forums. I don't see why it would be published as informational RFC? Is the > goal to make a list of issues that community members feel need to be > discussed? I don't get it. > > The conclusions seem to be 1) Have a CAB Forum that is more transparent > (which is out of scope of the IEFT - I'm not sure I've ever seen an IETF > paper specifically call out to another industry body requesting a change in > its membership?) and 2) Use Let's Encrypt - one specific member of the CA > community. Many CAs already offer free tools to automate issuance, making > the call out to Let's Encrypt very odd in an IETF document, especially > where the touted feature - new automated tools - already exist ( > https://www.digicert.com/express-install/). I have a similar complaint > about the reference to acme where PHB has been proposing something similar > for a LONG time ( > https://tools.ietf.org/html/draft-hallambaker-omnibroker-06). > > I'm also not sure why you selected the specific issues for inclusion in > the paper. For example, the paper doesn't mention inconsistencies in > validation levels, which (imo) is a bigger issue than the "too big to fail" > scenario. Cost also is a weird issue to include in the document since it's > always relative. It's also very difficult to discuss without running afoul > of anti-trust laws. > > Jeremy > > -----Original Message----- > From: wpkops [mailto:wpkops-bounces@ietf.org] On Behalf Of Russ Housley > Sent: Tuesday, July 7, 2015 8:57 AM > To: wpkops@ietf.org > Subject: [wpkops] draft-housley-web-pki-problems-00 > > I want to make people on this list aware of this draft that was posted > yesterday. > > Stephen Farrell suggested that this list might be a good place to discuss > it. > > Russ > > _______________________________________________ > wpkops mailing list > wpkops@ietf.org > https://www.ietf.org/mailman/listinfo/wpkops > > _______________________________________________ > wpkops mailing list > wpkops@ietf.org > https://www.ietf.org/mailman/listinfo/wpkops > --089e01634d7ee49798051a67582f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Informational RFCs that detail shortcomings of technology = exist - see, e.g., the work done in the UTA WG (disclaimer: I am an co-auth= or of one such RFC).

Calling for specific mechanisms or = forums is indeed odd. I'd suggest to rather go for a list of pointers i= nstead.

Ralph

On 8 July 2015 at 05:36, Jeremy Rowley <jeremy.rowley@digicert.com> wrote:
This paper sounds like a wish list of select issues taken f= rom the Mozilla forums.=C2=A0 I don't see why it would be published as = informational RFC? Is the goal to make a list of issues that community memb= ers feel need to be discussed? I don't get it.

The conclusions seem to be 1) Have a CAB Forum that is more transparent (wh= ich is out of scope of the IEFT - I'm not sure I've ever seen an IE= TF paper specifically call out to another industry body requesting a change= in its membership?) and 2) Use Let's Encrypt - one specific member of = the CA community.=C2=A0 Many CAs already offer free tools to automate issua= nce, making the call out to Let's Encrypt very odd in an IETF document,= especially where the touted feature - new automated tools - already exist = (https://www.digicert.com/express-install/).=C2=A0 I ha= ve a similar complaint about the reference to acme where PHB has been propo= sing something similar for a LONG time (h= ttps://tools.ietf.org/html/draft-hallambaker-omnibroker-06).

I'm also not sure why you selected the specific issues for inclusion in= the paper. For example, the paper doesn't mention inconsistencies in v= alidation levels, which (imo) is a bigger issue than the "too big to f= ail" scenario. Cost also is a weird issue to include in the document s= ince it's always relative.=C2=A0 It's also very difficult to discus= s without running afoul of anti-trust laws.

Jeremy

-----Original Message-----
From: wpkops [mailto:wpkops-boun= ces@ietf.org] On Behalf Of Russ Housley
Sent: Tuesday, July 7, 2015 8:57 AM
To: wpkops@ietf.org
Subject: [wpkops] draft-housley-web-pki-problems-00

I want to make people on this list aware of this draft that was posted yest= erday.

Stephen Farrell suggested that this list might be a good place to discuss i= t.

Russ

_______________________________________________
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops

_______________________________________________
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops

--089e01634d7ee49798051a67582f-- From nobody Wed Jul 8 20:06:00 2015 Return-Path: X-Original-To: wpkops@ietfa.amsl.com Delivered-To: wpkops@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF2341A8A49 for ; Wed, 8 Jul 2015 20:05:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ex7hEwfXdxgO for ; Wed, 8 Jul 2015 20:05:57 -0700 (PDT) Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9331C1A8A46 for ; Wed, 8 Jul 2015 20:05:57 -0700 (PDT) From: Jeremy Rowley To: Ralph Holz Thread-Topic: [wpkops] draft-housley-web-pki-problems-00 Thread-Index: AQHQuMVQY4sV5YvCFk+fNcTud623Ip3QYTgAgAJibQD//7DIcA== Date: Thu, 9 Jul 2015 03:05:55 +0000 Message-ID: <3dcffcf4bf7441c897115a2002a502cd@EX2.corp.digicert.com> References: <28D7CC3C-E21C-4D01-8F13-F2D661D82D71@vigilsec.com> <8d66da4eb5d24bb89f8d6b934640ea61@EX2.corp.digicert.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [63.158.87.14] Content-Type: multipart/alternative; boundary="_000_3dcffcf4bf7441c897115a2002a502cdEX2corpdigicertcom_" MIME-Version: 1.0 Archived-At: Cc: "wpkops@ietf.org" , Russ Housley Subject: Re: [wpkops] draft-housley-web-pki-problems-00 X-BeenThere: wpkops@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 03:06:00 -0000 --_000_3dcffcf4bf7441c897115a2002a502cdEX2corpdigicertcom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SeKAmW0gbm90IHN1cmUgdGhpcyBpcyBkZXRhaWxpbmcgc2hvcnQtY29taW5ncyBpbiB0ZWNobm9s b2d5LiBJbnN0ZWFkLCB0aGUgZHJhZnQgaXMgcmVhbGx5IHBvaW50aW5nIHRvIGlzc3VlcyBpbiBp bXBsZW1lbnRhdGlvbj8gIEZvciBleGFtcGxlLCByZXZvY2F0aW9uIGNoZWNraW5nIGV4aXN0cy4g U29tZSBicm93c2VycyBjaG9vc2Ugbm90IHRvIHVzZSBpdCBpbiB0aGUgdHJhZGl0aW9uYWwgc2Vu c2UgZm9yIHZhcmlvdXMgd2VsbC1kb2N1bWVudGVkIHJlYXNvbnMuIFNob3VsZCB0aGUgUkZDIGRl dGFpbCB3aHkgdGhlIHVzZXIgYWdlbnRzIGFyZSBub3QgaW1wbGVtZW50aW5nIGluc3RlYWQgb2Yg c2F5aW5nIGl04oCZcyBub3Qgc25hcHB5IGVub3VnaD8gU2FtZSB3aXRoIOKAnHRvbyBiaWcgdG8g ZmFpbOKAnS4gSW5zdGVhZCBvZiBzYXlpbmcgdGhhdCBpdOKAmXMgYW4gaXNzdWUsIHRoZSBkcmFm dCBzaG91bGQgc2F5IHRoZXJl4oCZcyBhIGRpZmZpY3VsdHkgaW4gZW5mb3JjaW5nIHJlcXVpcmVt ZW50cyBhZ2FpbnN0IHJvb3Qgc3RvcmUgb3BlcmF0b3JzIGJlY2F1c2UgdGhlaXIgZGVjaXNpb24g dGVuZHMgdG8gYmUgYmluYXJ5IChlaXRoZXIgdHJ1c3Qgb3Igbm90IHRydXN0KS4gQWx0aG91Z2gs IGFzIEdlcnYgcG9pbnRlZCBvdXQsIE1vemlsbGEgaGFzIHNob3duIHRoZXJlIGFyZSBub24tYmlu YXJ5IGFsdGVybmF0aXZlcy4NCg0KDQpGcm9tOiBSYWxwaCBIb2x6IFttYWlsdG86cmFscGguaWV0 ZkBnbWFpbC5jb21dDQpTZW50OiBXZWRuZXNkYXksIEp1bHkgOCwgMjAxNSA3OjQxIFBNDQpUbzog SmVyZW15IFJvd2xleQ0KQ2M6IFJ1c3MgSG91c2xleTsgd3Brb3BzQGlldGYub3JnDQpTdWJqZWN0 OiBSZTogW3dwa29wc10gZHJhZnQtaG91c2xleS13ZWItcGtpLXByb2JsZW1zLTAwDQoNCkluZm9y bWF0aW9uYWwgUkZDcyB0aGF0IGRldGFpbCBzaG9ydGNvbWluZ3Mgb2YgdGVjaG5vbG9neSBleGlz dCAtIHNlZSwgZS5nLiwgdGhlIHdvcmsgZG9uZSBpbiB0aGUgVVRBIFdHIChkaXNjbGFpbWVyOiBJ IGFtIGFuIGNvLWF1dGhvciBvZiBvbmUgc3VjaCBSRkMpLg0KDQpDYWxsaW5nIGZvciBzcGVjaWZp YyBtZWNoYW5pc21zIG9yIGZvcnVtcyBpcyBpbmRlZWQgb2RkLiBJJ2Qgc3VnZ2VzdCB0byByYXRo ZXIgZ28gZm9yIGEgbGlzdCBvZiBwb2ludGVycyBpbnN0ZWFkLg0KDQpSYWxwaA0KDQpPbiA4IEp1 bHkgMjAxNSBhdCAwNTozNiwgSmVyZW15IFJvd2xleSA8amVyZW15LnJvd2xleUBkaWdpY2VydC5j b208bWFpbHRvOmplcmVteS5yb3dsZXlAZGlnaWNlcnQuY29tPj4gd3JvdGU6DQpUaGlzIHBhcGVy IHNvdW5kcyBsaWtlIGEgd2lzaCBsaXN0IG9mIHNlbGVjdCBpc3N1ZXMgdGFrZW4gZnJvbSB0aGUg TW96aWxsYSBmb3J1bXMuICBJIGRvbid0IHNlZSB3aHkgaXQgd291bGQgYmUgcHVibGlzaGVkIGFz IGluZm9ybWF0aW9uYWwgUkZDPyBJcyB0aGUgZ29hbCB0byBtYWtlIGEgbGlzdCBvZiBpc3N1ZXMg dGhhdCBjb21tdW5pdHkgbWVtYmVycyBmZWVsIG5lZWQgdG8gYmUgZGlzY3Vzc2VkPyBJIGRvbid0 IGdldCBpdC4NCg0KVGhlIGNvbmNsdXNpb25zIHNlZW0gdG8gYmUgMSkgSGF2ZSBhIENBQiBGb3J1 bSB0aGF0IGlzIG1vcmUgdHJhbnNwYXJlbnQgKHdoaWNoIGlzIG91dCBvZiBzY29wZSBvZiB0aGUg SUVGVCAtIEknbSBub3Qgc3VyZSBJJ3ZlIGV2ZXIgc2VlbiBhbiBJRVRGIHBhcGVyIHNwZWNpZmlj YWxseSBjYWxsIG91dCB0byBhbm90aGVyIGluZHVzdHJ5IGJvZHkgcmVxdWVzdGluZyBhIGNoYW5n ZSBpbiBpdHMgbWVtYmVyc2hpcD8pIGFuZCAyKSBVc2UgTGV0J3MgRW5jcnlwdCAtIG9uZSBzcGVj aWZpYyBtZW1iZXIgb2YgdGhlIENBIGNvbW11bml0eS4gIE1hbnkgQ0FzIGFscmVhZHkgb2ZmZXIg ZnJlZSB0b29scyB0byBhdXRvbWF0ZSBpc3N1YW5jZSwgbWFraW5nIHRoZSBjYWxsIG91dCB0byBM ZXQncyBFbmNyeXB0IHZlcnkgb2RkIGluIGFuIElFVEYgZG9jdW1lbnQsIGVzcGVjaWFsbHkgd2hl cmUgdGhlIHRvdXRlZCBmZWF0dXJlIC0gbmV3IGF1dG9tYXRlZCB0b29scyAtIGFscmVhZHkgZXhp c3QgKGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9leHByZXNzLWluc3RhbGwvKS4gIEkgaGF2ZSBh IHNpbWlsYXIgY29tcGxhaW50IGFib3V0IHRoZSByZWZlcmVuY2UgdG8gYWNtZSB3aGVyZSBQSEIg aGFzIGJlZW4gcHJvcG9zaW5nIHNvbWV0aGluZyBzaW1pbGFyIGZvciBhIExPTkcgdGltZSAoaHR0 cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWhhbGxhbWJha2VyLW9tbmlicm9rZXItMDYp Lg0KDQpJJ20gYWxzbyBub3Qgc3VyZSB3aHkgeW91IHNlbGVjdGVkIHRoZSBzcGVjaWZpYyBpc3N1 ZXMgZm9yIGluY2x1c2lvbiBpbiB0aGUgcGFwZXIuIEZvciBleGFtcGxlLCB0aGUgcGFwZXIgZG9l c24ndCBtZW50aW9uIGluY29uc2lzdGVuY2llcyBpbiB2YWxpZGF0aW9uIGxldmVscywgd2hpY2gg KGltbykgaXMgYSBiaWdnZXIgaXNzdWUgdGhhbiB0aGUgInRvbyBiaWcgdG8gZmFpbCIgc2NlbmFy aW8uIENvc3QgYWxzbyBpcyBhIHdlaXJkIGlzc3VlIHRvIGluY2x1ZGUgaW4gdGhlIGRvY3VtZW50 IHNpbmNlIGl0J3MgYWx3YXlzIHJlbGF0aXZlLiAgSXQncyBhbHNvIHZlcnkgZGlmZmljdWx0IHRv IGRpc2N1c3Mgd2l0aG91dCBydW5uaW5nIGFmb3VsIG9mIGFudGktdHJ1c3QgbGF3cy4NCg0KSmVy ZW15DQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiB3cGtvcHMgW21haWx0bzp3 cGtvcHMtYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86d3Brb3BzLWJvdW5jZXNAaWV0Zi5vcmc+XSBP biBCZWhhbGYgT2YgUnVzcyBIb3VzbGV5DQpTZW50OiBUdWVzZGF5LCBKdWx5IDcsIDIwMTUgODo1 NyBBTQ0KVG86IHdwa29wc0BpZXRmLm9yZzxtYWlsdG86d3Brb3BzQGlldGYub3JnPg0KU3ViamVj dDogW3dwa29wc10gZHJhZnQtaG91c2xleS13ZWItcGtpLXByb2JsZW1zLTAwDQoNCkkgd2FudCB0 byBtYWtlIHBlb3BsZSBvbiB0aGlzIGxpc3QgYXdhcmUgb2YgdGhpcyBkcmFmdCB0aGF0IHdhcyBw b3N0ZWQgeWVzdGVyZGF5Lg0KDQpTdGVwaGVuIEZhcnJlbGwgc3VnZ2VzdGVkIHRoYXQgdGhpcyBs aXN0IG1pZ2h0IGJlIGEgZ29vZCBwbGFjZSB0byBkaXNjdXNzIGl0Lg0KDQpSdXNzDQoNCl9fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQp3cGtvcHMgbWFpbGlu ZyBsaXN0DQp3cGtvcHNAaWV0Zi5vcmc8bWFpbHRvOndwa29wc0BpZXRmLm9yZz4NCmh0dHBzOi8v d3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vd3Brb3BzDQoNCl9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQp3cGtvcHMgbWFpbGluZyBsaXN0DQp3cGtv cHNAaWV0Zi5vcmc8bWFpbHRvOndwa29wc0BpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3Jn L21haWxtYW4vbGlzdGluZm8vd3Brb3BzDQoNCg== --_000_3dcffcf4bf7441c897115a2002a502cdEX2corpdigicertcom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9 DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj b2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpw dXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpzcGFuLmhvZW56Yg0KCXttc28t c3R5bGUtbmFtZTpob2VuemI7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTgNCgl7bXNvLXN0eWxlLXR5cGU6 cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29s b3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25s eTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpAcGFnZSBXb3JkU2VjdGlv bjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGlu O30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48 IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNw aWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHht bD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBk YXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0K PGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFz cz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtj b2xvcjojMUY0OTdEIj5J4oCZbSBub3Qgc3VyZSB0aGlzIGlzIGRldGFpbGluZyBzaG9ydC1jb21p bmdzIGluIHRlY2hub2xvZ3kuIEluc3RlYWQsIHRoZSBkcmFmdCBpcyByZWFsbHkgcG9pbnRpbmcg dG8gaXNzdWVzIGluIGltcGxlbWVudGF0aW9uPyAmbmJzcDtGb3IgZXhhbXBsZSwgcmV2b2NhdGlv biBjaGVja2luZw0KIGV4aXN0cy4gU29tZSBicm93c2VycyBjaG9vc2Ugbm90IHRvIHVzZSBpdCBp biB0aGUgdHJhZGl0aW9uYWwgc2Vuc2UgZm9yIHZhcmlvdXMgd2VsbC1kb2N1bWVudGVkIHJlYXNv bnMuIFNob3VsZCB0aGUgUkZDIGRldGFpbCB3aHkgdGhlIHVzZXIgYWdlbnRzIGFyZSBub3QgaW1w bGVtZW50aW5nIGluc3RlYWQgb2Ygc2F5aW5nIGl04oCZcyBub3Qgc25hcHB5IGVub3VnaD8gU2Ft ZSB3aXRoIOKAnHRvbyBiaWcgdG8gZmFpbOKAnS4gSW5zdGVhZCBvZiBzYXlpbmcNCiB0aGF0IGl0 4oCZcyBhbiBpc3N1ZSwgdGhlIGRyYWZ0IHNob3VsZCBzYXkgdGhlcmXigJlzIGEgZGlmZmljdWx0 eSBpbiBlbmZvcmNpbmcgcmVxdWlyZW1lbnRzIGFnYWluc3Qgcm9vdCBzdG9yZSBvcGVyYXRvcnMg YmVjYXVzZSB0aGVpciBkZWNpc2lvbiB0ZW5kcyB0byBiZSBiaW5hcnkgKGVpdGhlciB0cnVzdCBv ciBub3QgdHJ1c3QpLiBBbHRob3VnaCwgYXMgR2VydiBwb2ludGVkIG91dCwgTW96aWxsYSBoYXMg c2hvd24gdGhlcmUgYXJlIG5vbi1iaW5hcnkNCiBhbHRlcm5hdGl2ZXMuIDxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0 OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9tOjwvc3Bhbj48 L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OyxzYW5zLXNlcmlmIj4gUmFscGggSG9seiBbbWFpbHRvOnJhbHBoLmlldGZAZ21haWwu Y29tXQ0KPGJyPg0KPGI+U2VudDo8L2I+IFdlZG5lc2RheSwgSnVseSA4LCAyMDE1IDc6NDEgUE08 YnI+DQo8Yj5Ubzo8L2I+IEplcmVteSBSb3dsZXk8YnI+DQo8Yj5DYzo8L2I+IFJ1c3MgSG91c2xl eTsgd3Brb3BzQGlldGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbd3Brb3BzXSBkcmFm dC1ob3VzbGV5LXdlYi1wa2ktcHJvYmxlbXMtMDA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj5JbmZvcm1hdGlvbmFsIFJGQ3MgdGhhdCBkZXRhaWwgc2hvcnRjb21pbmdzIG9m IHRlY2hub2xvZ3kgZXhpc3QgLSBzZWUsIGUuZy4sIHRoZSB3b3JrIGRvbmUgaW4gdGhlIFVUQSBX RyAoZGlzY2xhaW1lcjogSSBhbSBhbiBjby1hdXRob3Igb2Ygb25lIHN1Y2ggUkZDKS48bzpwPjwv bzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkNhbGxpbmcgZm9yIHNwZWNp ZmljIG1lY2hhbmlzbXMgb3IgZm9ydW1zIGlzIGluZGVlZCBvZGQuIEknZCBzdWdnZXN0IHRvIHJh dGhlciBnbyBmb3IgYSBsaXN0IG9mIHBvaW50ZXJzIGluc3RlYWQuPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlJhbHBoPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIDggSnVseSAyMDE1IGF0 IDA1OjM2LCBKZXJlbXkgUm93bGV5ICZsdDs8YSBocmVmPSJtYWlsdG86amVyZW15LnJvd2xleUBk aWdpY2VydC5jb20iIHRhcmdldD0iX2JsYW5rIj5qZXJlbXkucm93bGV5QGRpZ2ljZXJ0LmNvbTwv YT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpu b25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2 LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGluIj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPlRoaXMgcGFwZXIgc291bmRzIGxpa2UgYSB3aXNoIGxpc3Qgb2Ygc2VsZWN0IGlzc3Vl cyB0YWtlbiBmcm9tIHRoZSBNb3ppbGxhIGZvcnVtcy4mbmJzcDsgSSBkb24ndCBzZWUgd2h5IGl0 IHdvdWxkIGJlIHB1Ymxpc2hlZCBhcyBpbmZvcm1hdGlvbmFsIFJGQz8gSXMgdGhlIGdvYWwgdG8g bWFrZSBhIGxpc3Qgb2YgaXNzdWVzIHRoYXQgY29tbXVuaXR5IG1lbWJlcnMgZmVlbCBuZWVkIHRv IGJlIGRpc2N1c3NlZD8gSSBkb24ndA0KIGdldCBpdC48YnI+DQo8YnI+DQpUaGUgY29uY2x1c2lv bnMgc2VlbSB0byBiZSAxKSBIYXZlIGEgQ0FCIEZvcnVtIHRoYXQgaXMgbW9yZSB0cmFuc3BhcmVu dCAod2hpY2ggaXMgb3V0IG9mIHNjb3BlIG9mIHRoZSBJRUZUIC0gSSdtIG5vdCBzdXJlIEkndmUg ZXZlciBzZWVuIGFuIElFVEYgcGFwZXIgc3BlY2lmaWNhbGx5IGNhbGwgb3V0IHRvIGFub3RoZXIg aW5kdXN0cnkgYm9keSByZXF1ZXN0aW5nIGEgY2hhbmdlIGluIGl0cyBtZW1iZXJzaGlwPykgYW5k IDIpIFVzZSBMZXQncyBFbmNyeXB0DQogLSBvbmUgc3BlY2lmaWMgbWVtYmVyIG9mIHRoZSBDQSBj b21tdW5pdHkuJm5ic3A7IE1hbnkgQ0FzIGFscmVhZHkgb2ZmZXIgZnJlZSB0b29scyB0byBhdXRv bWF0ZSBpc3N1YW5jZSwgbWFraW5nIHRoZSBjYWxsIG91dCB0byBMZXQncyBFbmNyeXB0IHZlcnkg b2RkIGluIGFuIElFVEYgZG9jdW1lbnQsIGVzcGVjaWFsbHkgd2hlcmUgdGhlIHRvdXRlZCBmZWF0 dXJlIC0gbmV3IGF1dG9tYXRlZCB0b29scyAtIGFscmVhZHkgZXhpc3QgKDxhIGhyZWY9Imh0dHBz Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9leHByZXNzLWluc3RhbGwvIiB0YXJnZXQ9Il9ibGFuayI+aHR0 cHM6Ly93d3cuZGlnaWNlcnQuY29tL2V4cHJlc3MtaW5zdGFsbC88L2E+KS4mbmJzcDsNCiBJIGhh dmUgYSBzaW1pbGFyIGNvbXBsYWludCBhYm91dCB0aGUgcmVmZXJlbmNlIHRvIGFjbWUgd2hlcmUg UEhCIGhhcyBiZWVuIHByb3Bvc2luZyBzb21ldGhpbmcgc2ltaWxhciBmb3IgYSBMT05HIHRpbWUg KDxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1oYWxsYW1iYWtlci1v bW5pYnJva2VyLTA2IiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1s L2RyYWZ0LWhhbGxhbWJha2VyLW9tbmlicm9rZXItMDY8L2E+KS48YnI+DQo8YnI+DQpJJ20gYWxz byBub3Qgc3VyZSB3aHkgeW91IHNlbGVjdGVkIHRoZSBzcGVjaWZpYyBpc3N1ZXMgZm9yIGluY2x1 c2lvbiBpbiB0aGUgcGFwZXIuIEZvciBleGFtcGxlLCB0aGUgcGFwZXIgZG9lc24ndCBtZW50aW9u IGluY29uc2lzdGVuY2llcyBpbiB2YWxpZGF0aW9uIGxldmVscywgd2hpY2ggKGltbykgaXMgYSBi aWdnZXIgaXNzdWUgdGhhbiB0aGUgJnF1b3Q7dG9vIGJpZyB0byBmYWlsJnF1b3Q7IHNjZW5hcmlv LiBDb3N0IGFsc28gaXMgYSB3ZWlyZCBpc3N1ZSB0bw0KIGluY2x1ZGUgaW4gdGhlIGRvY3VtZW50 IHNpbmNlIGl0J3MgYWx3YXlzIHJlbGF0aXZlLiZuYnNwOyBJdCdzIGFsc28gdmVyeSBkaWZmaWN1 bHQgdG8gZGlzY3VzcyB3aXRob3V0IHJ1bm5pbmcgYWZvdWwgb2YgYW50aS10cnVzdCBsYXdzLjxi cj4NCjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4Ij48YnI+DQo8c3BhbiBjbGFzcz0iaG9lbnpi Ij5KZXJlbXk8L3NwYW4+PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48YnI+DQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLTxicj4NCkZy b206IHdwa29wcyBbbWFpbHRvOjxhIGhyZWY9Im1haWx0bzp3cGtvcHMtYm91bmNlc0BpZXRmLm9y ZyI+d3Brb3BzLWJvdW5jZXNAaWV0Zi5vcmc8L2E+XSBPbiBCZWhhbGYgT2YgUnVzcyBIb3VzbGV5 PGJyPg0KU2VudDogVHVlc2RheSwgSnVseSA3LCAyMDE1IDg6NTcgQU08YnI+DQpUbzogPGEgaHJl Zj0ibWFpbHRvOndwa29wc0BpZXRmLm9yZyI+d3Brb3BzQGlldGYub3JnPC9hPjxicj4NClN1Ympl Y3Q6IFt3cGtvcHNdIGRyYWZ0LWhvdXNsZXktd2ViLXBraS1wcm9ibGVtcy0wMDxicj4NCjxicj4N Ckkgd2FudCB0byBtYWtlIHBlb3BsZSBvbiB0aGlzIGxpc3QgYXdhcmUgb2YgdGhpcyBkcmFmdCB0 aGF0IHdhcyBwb3N0ZWQgeWVzdGVyZGF5Ljxicj4NCjxicj4NClN0ZXBoZW4gRmFycmVsbCBzdWdn ZXN0ZWQgdGhhdCB0aGlzIGxpc3QgbWlnaHQgYmUgYSBnb29kIHBsYWNlIHRvIGRpc2N1c3MgaXQu PGJyPg0KPGJyPg0KUnVzczxicj4NCjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fPGJyPg0Kd3Brb3BzIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9 Im1haWx0bzp3cGtvcHNAaWV0Zi5vcmciPndwa29wc0BpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVm PSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3dwa29wcyIgdGFyZ2V0PSJf YmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vd3Brb3BzPC9hPjxi cj4NCjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f PGJyPg0Kd3Brb3BzIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzp3cGtvcHNAaWV0 Zi5vcmciPndwa29wc0BpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRm Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3dwa29wcyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3 LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vd3Brb3BzPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_3dcffcf4bf7441c897115a2002a502cdEX2corpdigicertcom_--