[TLS] Photosynthesis, an update to Merkle Tree Certificates
David Benjamin <davidben@chromium.org> Fri, 20 June 2025 18:44 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id EC4AF377D231 for <tls@mail2.ietf.org>; Fri, 20 Jun 2025 11:44:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -9.499
X-Spam-Level:
X-Spam-Status: No, score=-9.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wm7hk5BSyZAt for <tls@mail2.ietf.org>; Fri, 20 Jun 2025 11:44:23 -0700 (PDT)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 57634377D22A for <tls@ietf.org>; Fri, 20 Jun 2025 11:44:23 -0700 (PDT)
Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-6097d144923so4537884a12.1 for <tls@ietf.org>; Fri, 20 Jun 2025 11:44:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1750445061; x=1751049861; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=3/PCAJBE1q/kMRnCxtTG2C6/Jk2GseawlcTlmV+vt5s=; b=kEqH4UVP/5oy8vEZiqsZEghPgyVCvOnc6XJwhCDLdfkJC8WpNskbqQNeLCq/y7ThUf c9BLXs37kYD4DyjyKzL432aILbWQkU2/j8VxVrZLLzwWELUsSDDDiXXvaspYxhzCmGWR gh6lCYtGKS3I+0NE0A2JSwTOcP5nGoXKziu9Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750445061; x=1751049861; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=3/PCAJBE1q/kMRnCxtTG2C6/Jk2GseawlcTlmV+vt5s=; b=EiRfTgLJi2sCYb0lAK3R/YcUtSN7x9mKzfRvEmN/QGpzBQP9ewC1jb01w2km8QVNf7 xbOJFt5Ow35ICWlGbzNq2GSG/yL5z/5Z6R/K/OylggSUQJ1hsXwtqz97fFM/81lRUkFu qTKKrr2tCUccnPhgWr3+OkZm1ic3YBkv37R5taThYecais5v1l8Cjm4LwFLsiJ98/esG awwrzYAiOuF/28Itz3wvIg75DROHPHdklNJw9wQ+A38TBgjDH5T7o/Rtv071YMTbB0IH DSW5Qnlws3xyrSiW5dYRuRUMkAhOWQ4/1qh0nqvaslsXtSk4Lu5gkoEY4ZrlXu8gxuTO /BtA==
X-Gm-Message-State: AOJu0YzhYJ9TNU57T7I4uEIkLWzctq3SB6Ym/XwQRT95q3Mb8bvhjVwR eoO2n6c8jjrmMUcNIfwSxj7qZg8j4iWjk8biWp8WGiPKRa3VFwNK2VPT0qEe0UVTDdAa+SbXe9Z jNOhDvNhN61mR0Mp6QjW30iuJD1HsqIeY7eWW18Pl4VjRqs+Ub3UqZn74RA==
X-Gm-Gg: ASbGncsurz9BZgUzgO/E8hmbZfTdbEUnNinmA/MkwG+T8uqK0iW9NFNI4dDGllbybu5 hqLSKNTskZXDMXOvVZNAC8fmz9weh0OsjqcSs1S4P8gnnSexTDGnUFAzblIrubqV0U4QcofR3Ir g85h8tzx2F8Y0/khVS2hs/XO14BTSqqAOC7WL4rP99CA==
X-Google-Smtp-Source: AGHT+IHLi1yZ+pqIxEv3k7nby7wmhYA2bePupn8eCN/wGPQLk3o6qBsr52puJ7v2gqnPtasgH36hqNX4ZCqduVkhYm0=
X-Received: by 2002:a05:6402:84c:b0:607:f42f:d58e with SMTP id 4fb4d7f45d1cf-60a20ccbe8fmr3176989a12.12.1750445061197; Fri, 20 Jun 2025 11:44:21 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Fri, 20 Jun 2025 14:44:04 -0400
X-Gm-Features: AX0GCFujgM-NjbH-_E0Aiy_FBfXz3yZMNl0QoGKH0VA_axLKYJ9pgFieeVVzLQ8
Message-ID: <CAF8qwaDsznO8MUnn4e5GRpzZpZ-6jOz8KSMVhhu1KhX3-Tgu4w@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000012e7590638054080"
Message-ID-Hash: XOVFOE3RXV6ZMWRDP5HJXNKMTI2CR37J
X-Message-ID-Hash: XOVFOE3RXV6ZMWRDP5HJXNKMTI2CR37J
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Filippo Valsorda <ietf@filippo.io>, asymmetric@chromium.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Photosynthesis, an update to Merkle Tree Certificates
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6jqhUVz58s4ZgsZ8HvuZftncT9A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi all, A while ago, we presented Merkle Tree Certificates, a certificate optimization for Web-PKI-like PKIs with a transparency requirement. We’ve since updated it with a new version, draft-05, which we’ve been informally calling “Photosynthesis”, so named because I enjoy silly puns too much: we are converting sunlight[0][1] into certificates. https://www.ietf.org/archive/id/draft-davidben-tls-merkle-tree-certs-05.txt https://www.ietf.org/archive/id/draft-davidben-tls-merkle-tree-certs-05.html Photosynthesis combines the Static CT API[2][3] with the ideas in Merkle Tree Certificates, which itself is a rehash of STH Discipline[4]. For context, the CT ecosystem is moving to a new “Static CT” API, as implementation experience has shown that the RFC 6962 and RFC 9162 APIs aren’t well-aligned with many common serving architectures, e.g. CDN caching. Where the original Merkle Tree Certificates only targeted the optimized case with a bespoke tree structure, Static CT showed one can implement a CT-scale log in an efficient, scalable, and cache-friendly way. The underlying “tlog” work also defines an ecosystem of “cosigners” and “witnesses”[5], which aligns with how we were envisioning the transparency ecosystem with Merkle Tree Certificates[6][7]. While the same core idea is there, the formulation is very different, so I’d encourage folks to take a look. In particular: * This gives a natural fast issuance flow, so Merkle Tree Certificates is now a single integrated mechanism. As it’s now integrated, we’ve changed from a custom certificate format to something based in X.509. (The log entry format is extensible to new formats.) * The design of the original Merkle Tree Certificates naturally led to some nice log size optimizations, which we’ve applied to Photosynthesis. Log entry sizes do not increase from post-quantum at all. Since this is really PKI work, not TLS, and thus outside this WG’s core expertise and scope, I don’t expect this work to ultimately live here. But since we first presented this work here, I wanted to let you all know about the update. One thing I’d like to call out is Section 8, which sketches how to use this with TLS. In particular, we’d really like to negotiate “cosigners” when presenting a certificate. This is analogous to today’s unsolved SCT negotiation problem, which is a part of why CT enforcement for the long tail of non-browser, Web-adjacent clients is difficult today. (That is probably a discussion in itself.) As always, this document is intended as a starting point. Although we’ve worked out many details concretely, this is only to help illustrate the design. (After all, we went from draft-04 to this formulation, and I would still consider this to be in continuity with draft-04!) Let us know if you have any thoughts, either here or on GitHub[8]! David [0] https://datatracker.ietf.org/doc/draft-laurie-pki-sunlight/12/ [1] https://sunlight.dev/ [2] https://c2sp.org/static-ct-api [3] https://letsencrypt.org/2025/06/11/reflections-on-a-year-of-sunlight/ [4] https://mailarchive.ietf.org/arch/msg/trans/Zm4NqyRc7LDsOtV56EchBIT9r4c/ (Apologies, Richard! I had thought I’d included your mail in the acknowledgements long ago but apparently forgot. It is there now.) [5] https://c2sp.org/tlog-witness [6] https://github.com/davidben/merkle-tree-certs/commit/0e87eafaf1378edea744ed9fb07df3583f8d16c4 [7] If you read earlier iterations of the MTC draft and balked at the “transparency service”, that was simply a poor choice of terminology on my part. It was always meant as an opaque “insert transparency ecosystem here” box to be filled in later. The relevant text in draft-03 was “This is conceptually a single service, but may be multiple services, run by multiple entities in concert.” [8] https://github.com/davidben/merkle-tree-certs
- [TLS] Photosynthesis, an update to Merkle Tree Ce… David Benjamin