CA/CT Redaction: Difference between revisions

CA/CT Redaction (view source)

Revision as of 14:00, 21 November 2017

1,441 bytes added , 21 November 2017

More draftiness

Gerv

Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti

4,925

edits

@@ Line 11: / Line 11: @@
 ==== Response ====
-In Chrome at least, enterprises already have this capability via enterprise policies, which do not require the installation of a specific root CA. I.e. they can turn off the CT requirement for particular roots.
+In Chrome at least, which is currently the only browser that checks CT, enterprises already have this capability via enterprise policies, which do not require the installation of a specific root CA. I.e. they can turn off the CT requirement for particular roots.
 === Concealing Network Topography ===
-Redaction means organizations can use publicly-trusted, CT logged certificates behind their firewalls that do not reveal their security topography by revealing all nodes in the FQDN during CT logging. Multiple wildcard certs with different key pairs would be hard to track.
+Redaction means organizations can use publicly-trusted, CT logged certificates behind their firewalls that do not reveal their security topography by revealing all nodes in the FQDN during CT logging. The alternative, multiple otherwise-identical wildcard certs with different key pairs, would be hard to track.
 ==== Response ====
-This is an argument for security through obscurity. And, in fact, will not succeed in achieving the obscurity sought.
+This is an argument for security through obscurity. And, in fact, will not succeed in achieving the obscurity sought because hostnames leak in a number of other ways.
+As for multiple wildcard certs being hard to track, they would have different serial numbers, so automated provisioning software could tell them apart without difficulty.
 === IoT Usage ===
@@ Line 27: / Line 29: @@
 ==== Response ====
-Chrome, at least, believes that the IoT should use private roots, or roots separate from the WebPKI, to avoid the sort of stagnation and legacy compatibility problems we have seen previously, e.g. with SHA-1.
+Chrome, at least, believes that the IoT should use private roots, or roots separate from the WebPKI, to avoid the sort of stagnation and legacy compatibility problems we have seen previously, e.g. with SHA-1 and 1024-bit certs.
+=== Makes DOS Easier ===
+For low-resource IoT devices (cameras, sensors, some car uses, etc.), DOS attacks are possible, and unredacted CT logs may help the DOS attacker.
+==== Response ====
+Why would someone DOS a random camera just because it was there?
+=== CT Logging Reveals Geolocation Information ===
+For some IoT devices (cameras, sensors, etc.), geo-location information is very sensitive.  If the certificate is logged with CT, there must be a mechanism like redaction to anonymize.
+==== Response ====
+It is not clear how CT logging would reveal geolocation information for the device using the certificate.
+=== Reveals Commercially Sensitive Information ===
+Manufacturers using IoT certificates won't want to show the number of devices they have shipped, and redaction may help keep this information private.
+==== Response ====
+How? If counting certificates is indeed a good way of determining how many devices are shipped, redaction won't change the number of certificates logged.
 == Against ==
@@ Line 34: / Line 60: @@
 It is difficult to build robust policies and procedures around what happens when a domain owner sees a redacted cert they didn't request. How can they get an unredacted copy of the original? What happens if the CA can't or won't provide it? What recourse does the domain owner have? More details on this can be found in [https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/vsTzv8oNcws%5B76-100%5D this CT policy post].
+== Alternatives ==
+* Disabling CT via browser policy
+* Private roots
+* Wildcard certs
+* CT-logging anyway