Opened 7 years ago

Closed 6 years ago

#113 closed enhancement (fixed)

Add advice about the tls-feature TLS extension

Reported by: rob.stradling@… Owned by: benl@…
Priority: minor Milestone: review
Component: rfc6962-bis Version:
Severity: - Keywords:
Cc:

Description

RFC7633 standardizes the TLS Feature certificate extension. This could potentially be included in a certificate to signal that a TLS server MUST send the CT TLS extension (if the TLS client indicated support for it) when it sends this particular certificate. However, since this would prevent the use of the other SCT distribution mechanisms (embedded in cert; embedded in stapled OCSP response) in conjunction with this cert, it seems like it would be an unnecessarily limiting thing to do.

Having said that, perhaps we could specify our own semantics for what it means to include the CT TLS extension number in the TLS Feature certificate extension - e.g. that the TLS server MUST send at least 1 SCT via _any_ of the supported distribution mechanisms (if the TLS client indicated support for the CT TLS extension).

Tom Ritter pointed out [1] that using the TLS Feature certificate extension in an end-entity certificate...
"...wouldn't solve the generic problem of letting
a site owner dictate that CT should always be enabled for their
domain. The reason I'm critical of 7633 is that it only applies to a
single certificate[0]. If I want to 'enforce' CT for a single
certificate, via a x509 extension... I could just put the CT x509
extension in the certificate."

However, Tom went on to advocate using TLS Feature in CA certificates...
"[0] Now technically where 7633 really comes into play and is very
useful is when it's included in intermediates or (my pounding heart be
still) - root certs. In *that* case it would work great for requiring
CT... but not for site owners, for certificate authorities. A CA is
assured that all the certs it issues will be publicly logged, and it
can use this as a check against misissuance. I think that's great...
but it still doesn't help site owners. =)"

So I suggest that we specify that...

  • CAs SHOULD NOT (or MUST NOT?) include the CT TLS extension number in the TLS Feature certificate extension in end-entity certificates, because there are (or we expect that there will be) better ways to require CT compliance for single certificates.
  • CAs MAY include the CT TLS extension number in the TLS Feature certificate extension in root/intermediate certificates, to indicate that CT compliance is required for all certs whose chains involve this root/intermediate certificate.

Any other opinions?

[1] https://groups.google.com/a/chromium.org/d/msg/ct-policy/AGN23TW-ei8/0lQXUX56BQAJ

Change History (5)

comment:1 Changed 6 years ago by benl@…

  • Owner changed from draft-ietf-trans-rfc6962-bis@… to benl@…

comment:2 Changed 6 years ago by benl@…

I think it is unclear that EE certs should _never_ have this extension, and saying anything weaker seems pointless.

comment:5 Changed 6 years ago by melinda.shore@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.