draft-ietf-trans-rfc6962-bis-41.txt   draft-ietf-trans-rfc6962-bis-42.txt 
TRANS (Public Notary Transparency) B. Laurie TRANS (Public Notary Transparency) B. Laurie
Internet-Draft A. Langley Internet-Draft A. Langley
Obsoletes: 6962 (if approved) E. Kasper Obsoletes: 6962 (if approved) E. Kasper
Intended status: Experimental E. Messeri Intended status: Experimental E. Messeri
Expires: 31 January 2022 Google Expires: 4 March 2022 Google
R. Stradling R. Stradling
Sectigo Sectigo
30 July 2021 31 August 2021
Certificate Transparency Version 2.0 Certificate Transparency Version 2.0
draft-ietf-trans-rfc6962-bis-41 draft-ietf-trans-rfc6962-bis-42
Abstract Abstract
This document describes version 2.0 of the Certificate Transparency This document describes version 2.0 of the Certificate Transparency
(CT) protocol for publicly logging the existence of Transport Layer (CT) protocol for publicly logging the existence of Transport Layer
Security (TLS) server certificates as they are issued or observed, in Security (TLS) server certificates as they are issued or observed, in
a manner that allows anyone to audit certification authority (CA) a manner that allows anyone to audit certification authority (CA)
activity and notice the issuance of suspect certificates as well as activity and notice the issuance of suspect certificates as well as
to audit the certificate logs themselves. The intent is that to audit the certificate logs themselves. The intent is that
eventually clients would refuse to honor certificates that do not eventually clients would refuse to honor certificates that do not
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 31 January 2022. This Internet-Draft will expire on 4 March 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 45 skipping to change at page 3, line 45
8.1.3. Validating SCTs . . . . . . . . . . . . . . . . . . . 42 8.1.3. Validating SCTs . . . . . . . . . . . . . . . . . . . 42
8.1.4. Fetching inclusion proofs . . . . . . . . . . . . . . 43 8.1.4. Fetching inclusion proofs . . . . . . . . . . . . . . 43
8.1.5. Validating inclusion proofs . . . . . . . . . . . . . 43 8.1.5. Validating inclusion proofs . . . . . . . . . . . . . 43
8.1.6. Evaluating compliance . . . . . . . . . . . . . . . . 44 8.1.6. Evaluating compliance . . . . . . . . . . . . . . . . 44
8.2. Monitor . . . . . . . . . . . . . . . . . . . . . . . . . 44 8.2. Monitor . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.3. Auditing . . . . . . . . . . . . . . . . . . . . . . . . 45 8.3. Auditing . . . . . . . . . . . . . . . . . . . . . . . . 45
9. Algorithm Agility . . . . . . . . . . . . . . . . . . . . . . 46 9. Algorithm Agility . . . . . . . . . . . . . . . . . . . . . . 46
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47
10.1. Additions to existing registries . . . . . . . . . . . . 47 10.1. Additions to existing registries . . . . . . . . . . . . 47
10.1.1. New Entry to the TLS ExtensionType Registry . . . . 47 10.1.1. New Entry to the TLS ExtensionType Registry . . . . 47
10.1.2. URN Sub-namespace for TRANS errors 10.1.2. URN Sub-namespace for TRANS
(urn:ietf:params:trans:error) . . . . . . . . . . . . 47 (urn:ietf:params:trans) . . . . . . . . . . . . . . . 47
10.2. New CT-Related registries . . . . . . . . . . . . . . . 47 10.2. New CT-Related registries . . . . . . . . . . . . . . . 47
10.2.1. Hash Algorithms . . . . . . . . . . . . . . . . . . 48 10.2.1. Hash Algorithms . . . . . . . . . . . . . . . . . . 48
10.2.2. Signature Algorithms . . . . . . . . . . . . . . . . 48 10.2.2. Signature Algorithms . . . . . . . . . . . . . . . . 48
10.2.3. VersionedTransTypes . . . . . . . . . . . . . . . . 49 10.2.3. VersionedTransTypes . . . . . . . . . . . . . . . . 49
10.2.4. Log Artifact Extension Registry . . . . . . . . . . 50 10.2.4. Log Artifact Extension Registry . . . . . . . . . . 50
10.2.5. Log IDs Registry . . . . . . . . . . . . . . . . . . 51 10.2.5. Log IDs Registry . . . . . . . . . . . . . . . . . . 51
10.2.6. Error Types Registry . . . . . . . . . . . . . . . . 52 10.2.6. Error Types Registry . . . . . . . . . . . . . . . . 52
10.3. OID Assignment . . . . . . . . . . . . . . . . . . . . . 54 10.3. OID Assignment . . . . . . . . . . . . . . . . . . . . . 54
11. Security Considerations . . . . . . . . . . . . . . . . . . . 54 11. Security Considerations . . . . . . . . . . . . . . . . . . . 54
11.1. Misissued Certificates . . . . . . . . . . . . . . . . . 55 11.1. Misissued Certificates . . . . . . . . . . . . . . . . . 55
skipping to change at page 22, line 6 skipping to change at page 22, line 6
of its value, excluding the tag and length, MUST be no longer than of its value, excluding the tag and length, MUST be no longer than
127 octets. 127 octets.
4.5. TransItem Structure 4.5. TransItem Structure
Various data structures are encapsulated in the "TransItem" structure Various data structures are encapsulated in the "TransItem" structure
to ensure that the type and version of each one is identified in a to ensure that the type and version of each one is identified in a
common fashion: common fashion:
enum { enum {
reserved(0), x509_entry_v2(0x0100), precert_entry_v2(0x0101),
x509_entry_v2(1), precert_entry_v2(2), x509_sct_v2(0x0102), precert_sct_v2(0x0103),
x509_sct_v2(3), precert_sct_v2(4), signed_tree_head_v2(0x0104), consistency_proof_v2(0x0105),
signed_tree_head_v2(5), consistency_proof_v2(6), inclusion_proof_v2(0x0106),
inclusion_proof_v2(7),
(65535) /* Reserved Code Points */
reserved_rfc6962(0x0000..0x00FF),
reserved_experimentaluse(0xE000..0xEFFF),
reserved_privateuse(0xF000..0xFFFF),
(0xFFFF)
} VersionedTransType; } VersionedTransType;
struct { struct {
VersionedTransType versioned_type; VersionedTransType versioned_type;
select (versioned_type) { select (versioned_type) {
case x509_entry_v2: TimestampedCertificateEntryDataV2; case x509_entry_v2: TimestampedCertificateEntryDataV2;
case precert_entry_v2: TimestampedCertificateEntryDataV2; case precert_entry_v2: TimestampedCertificateEntryDataV2;
case x509_sct_v2: SignedCertificateTimestampDataV2; case x509_sct_v2: SignedCertificateTimestampDataV2;
case precert_sct_v2: SignedCertificateTimestampDataV2; case precert_sct_v2: SignedCertificateTimestampDataV2;
case signed_tree_head_v2: SignedTreeHeadDataV2; case signed_tree_head_v2: SignedTreeHeadDataV2;
skipping to change at page 47, line 33 skipping to change at page 47, line 33
Values" registry defined in [RFC8446], with an assigned Value: Values" registry defined in [RFC8446], with an assigned Value:
+=======+===================+============+=============+===========+ +=======+===================+============+=============+===========+
| Value | Extension Name | TLS 1.3 | Recommended | Reference | | Value | Extension Name | TLS 1.3 | Recommended | Reference |
+=======+===================+============+=============+===========+ +=======+===================+============+=============+===========+
| TBD | transparency_info | CH, CR, CT | Y | RFCXXXX | | TBD | transparency_info | CH, CR, CT | Y | RFCXXXX |
+-------+-------------------+------------+-------------+-----------+ +-------+-------------------+------------+-------------+-----------+
Table 7 Table 7
10.1.2. URN Sub-namespace for TRANS errors 10.1.2. URN Sub-namespace for TRANS (urn:ietf:params:trans)
(urn:ietf:params:trans:error)
IANA is requested to add a new entry in the "IETF URN Sub-namespace IANA is requested to add a new entry in the "IETF URN Sub-namespace
for Registered Protocol Parameter Identifiers" registry, following for Registered Protocol Parameter Identifiers" registry, following
the template in [RFC3553]: the template in [RFC3553]:
Registry name: trans:error Registry name: trans
Specification: RFCXXXX Specification: RFCXXXX
Repository: https://www.iana.org/assignments/trans Repository: https://www.iana.org/assignments/trans
Index value: No transformation needed. Index value: No transformation needed.
10.2. New CT-Related registries 10.2. New CT-Related registries
IANA is requested to add a new protocol registry, "Public Notary IANA is requested to add a new protocol registry, "Public Notary
skipping to change at page 50, line 7 skipping to change at page 50, line 7
[RFC8446]), and is suitable for use as a cryptographic signature [RFC8446]), and is suitable for use as a cryptographic signature
algorithm. algorithm.
10.2.3. VersionedTransTypes 10.2.3. VersionedTransTypes
IANA is asked to establish a registry of "VersionedTransType" values, IANA is asked to establish a registry of "VersionedTransType" values,
named "VersionedTransTypes". named "VersionedTransTypes".
The following note should be added: The following note should be added:
* The 0x0000 value is reserved so that v1 SCTs are distinguishable * The range 0x0000..0x00FF is reserved so that v1 SCTs are
from v2 SCTs and other "TransItem" structures. distinguishable from v2 SCTs and other "TransItem" structures.
The registry should initially consist of: The registry should initially consist of:
+==========+======================+===============================+ +==========+======================+===============================+
| Value | Type and Version | Reference / Assignment Policy | | Value | Type and Version | Reference / Assignment Policy |
+==========+======================+===============================+ +==========+======================+===============================+
| 0x0000 | Reserved | [RFC6962] | | 0x0000 - | Reserved | [RFC6962] |
| 0x00FF | | |
+----------+----------------------+-------------------------------+ +----------+----------------------+-------------------------------+
| 0x0001 | x509_entry_v2 | RFCXXXX | | 0x0100 | x509_entry_v2 | RFCXXXX |
+----------+----------------------+-------------------------------+ +----------+----------------------+-------------------------------+
| 0x0002 | precert_entry_v2 | RFCXXXX | | 0x0101 | precert_entry_v2 | RFCXXXX |
+----------+----------------------+-------------------------------+ +----------+----------------------+-------------------------------+
| 0x0003 | x509_sct_v2 | RFCXXXX | | 0x0102 | x509_sct_v2 | RFCXXXX |
+----------+----------------------+-------------------------------+ +----------+----------------------+-------------------------------+
| 0x0004 | precert_sct_v2 | RFCXXXX | | 0x0103 | precert_sct_v2 | RFCXXXX |
+----------+----------------------+-------------------------------+ +----------+----------------------+-------------------------------+
| 0x0005 | signed_tree_head_v2 | RFCXXXX | | 0x0104 | signed_tree_head_v2 | RFCXXXX |
+----------+----------------------+-------------------------------+ +----------+----------------------+-------------------------------+
| 0x0006 | consistency_proof_v2 | RFCXXXX | | 0x0105 | consistency_proof_v2 | RFCXXXX |
+----------+----------------------+-------------------------------+ +----------+----------------------+-------------------------------+
| 0x0007 | inclusion_proof_v2 | RFCXXXX | | 0x0106 | inclusion_proof_v2 | RFCXXXX |
+----------+----------------------+-------------------------------+ +----------+----------------------+-------------------------------+
| 0x0008 - | Unassigned | Specification Required | | 0x0107 - | Unassigned | Specification Required |
| 0xDFFF | | | | 0xDFFF | | |
+----------+----------------------+-------------------------------+ +----------+----------------------+-------------------------------+
| 0xE000 - | Reserved | Experimental Use | | 0xE000 - | Reserved | Experimental Use |
| 0xEFFF | | | | 0xEFFF | | |
+----------+----------------------+-------------------------------+ +----------+----------------------+-------------------------------+
| 0xF000 - | Reserved | Private Use | | 0xF000 - | Reserved | Private Use |
| 0xFFFF | | | | 0xFFFF | | |
+----------+----------------------+-------------------------------+ +----------+----------------------+-------------------------------+
Table 10 Table 10
 End of changes. 18 change blocks. 
26 lines changed or deleted 30 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/