Re: [Secdispatch] Dispatching draft on key consistency
Michael Richardson <mcr+ietf@sandelman.ca> Sat, 05 March 2022 19:03 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19E853A0A65 for <secdispatch@ietfa.amsl.com>; Sat, 5 Mar 2022 11:03:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ddHJXI1VAVvC for <secdispatch@ietfa.amsl.com>; Sat, 5 Mar 2022 11:03:23 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E413D3A0A62 for <secdispatch@ietf.org>; Sat, 5 Mar 2022 11:03:22 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 218C338A31; Sat, 5 Mar 2022 14:12:33 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 9IMUEx4Q6QMM; Sat, 5 Mar 2022 14:12:31 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 3ADDD3899B; Sat, 5 Mar 2022 14:12:31 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1646507551; bh=dq/geWyCOU0Mi3Z/UORT5FfFG9u4+eQU0DL9LvuRNb8=; h=From:To:Subject:In-Reply-To:References:Date:From; b=taXruZUCl8bWyxXKkQakZvFMr2ImmcCjfzp7wJlsJhhE/ShY37DeTIoODSpoy+2gQ 7ZGQQW4K9W7E7nqTsvy8M3piZNw3gw+ajN+Zi1df6kBKY6SM6VMJ2dtAPfKRDW/gfn RzhcpYvsW6Y20Yuw9GEo0PuAOwwmSTKnnvFb9u8d/YQH0NSmcwGHExRTR748kDhqqr f2rhmkHjRF/Bw9XICdic8cno806V8wcftwcv4iscki4qQoYc1ahmwpacU5SokWKeOg EHzQNbSUaxbD3/QDIsXCC4ld9s08FFaiDsOlkRZfVXpQqu/6qStJLb7vj7K6RcrNG2 DIdnRHyAANDrQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id D60D51D3; Sat, 5 Mar 2022 14:03:18 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Christopher Wood <caw@heapingbits.net>, secdispatch@ietf.org
In-Reply-To: <8BB73374-E38C-40A5-A147-F469B8C24D01@heapingbits.net>
References: <8BB73374-E38C-40A5-A147-F469B8C24D01@heapingbits.net>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 05 Mar 2022 14:03:18 -0500
Message-ID: <24889.1646506998@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/Hr0hSxK3ITQDEuccY-x9fIXL2x8>
Subject: Re: [Secdispatch] Dispatching draft on key consistency
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Mar 2022 19:03:28 -0000
Christopher Wood <caw@heapingbits.net> wrote: > There are a number of different protocols that require multiple clients > to discover a common — or consistent — cryptographic public key for > use, including: Privacy Pass [1], Oblivious DoH [2], and Oblivious HTTP > [3]. Consistency here means that all clients obtain the same view of > the public key. An inconsistent view can lead to privacy attacks. > For example, in Privacy Pass, if an attacker can somehow force a single > (set of) client(s) to use a public key that is distinct from all other > clients, then the key used effectively partitions the set of clients > into two buckets, and the size and number of these partitions influence > the overall privacy posture of the protocol. "somehow" ... such an attacker can substitute any on-path attacker key. I don't see how this is distinct from all the other attacks. > [4] https://datatracker.ietf.org/doc/draft-wood-key-consistency/ > [5] https://datatracker.ietf.org/doc/slides-110-privacypass-key-consistency-and-discovery/ In reviewing the documents, it seems that it's not "somehow", it's that the proxy has been persuaded to collude with a third party. Perhaps that would be better to say. Perhaps "persuaded" is the wrong term as well, since I think that the goal is to defend the proxy against NSLs that would force the proxy to collude. What is needed is a kind of canary such that for clients can detect when they are being singled out, and then refuse to operate with that proxy. By existence of such a mechanism, proxies can effectively render themselves useless to such forms of "persuasion". -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Secdispatch] Dispatching draft on key consistency Christopher Wood
- Re: [Secdispatch] Dispatching draft on key consis… Michael Richardson
- Re: [Secdispatch] Dispatching draft on key consis… Christopher Wood
- Re: [Secdispatch] Dispatching draft on key consis… Michael Richardson
- Re: [Secdispatch] Dispatching draft on key consis… Christopher Wood
- Re: [Secdispatch] Dispatching draft on key consis… Eric Rescorla